Passwords - Strengths And
Weaknesses
An edited version of this
paper appears in Internet and Internetworking Security,
J.P. Cavanagh (ed.), published by Auerbach, 1997.
Passwords are the most common
form of authentication used to control access to information,
ranging from the personal identification numbers we use for
automatic teller machines, credit cards, telephone calling
cards, and voice mail systems to the more complex alphanumeric
passwords that protect access to files, computers, and network
servers. Passwords are widely used because they are simple,
inexpensive, and convenient mechanisms to use and implement.
At the same time, passwords are
also recognized as being an extremely poor form of protection.
The Computer
Emergency Response Team (CERT) estimates that about
80 percent of the security incidents reported to them are
related to poorly chosen passwords. Password problems are very
difficult to manage because a single local computer network may
have hundreds or thousands of password-protected accounts and
only one needs to be compromised to give a attacker an entree to
the local system or network. With today's interconnected
Internet, the problems are potentially devastating on an even
larger scale; a skillful intruder may break into one system and
never harm it, using it instead as a platform for attacks on a
population of millions of targets.
This chapter will present some
guidelines for choosing and managing passwords, and will
describe some types of password attacks, and possible
precautions and remedies.
Guidelines For Selecting And
Maintaining Passwords
Request for Comments (RFC) 1244
offers some guidelines for selecting and maintaining passwords.
These guidelines, which should be a part of any site's security
handbook, include:
- Don't use your login
or user name in any form (as-is, reversed, capitalized,
doubled, etc.)
- Don't use your first,
middle, or last name in any form.
- Don't use your
spouse's, significant other's, children's, friend's, or
pet's name in any form.
- Don't use other
information easily obtained about you, including your date
of birth, license plate number, telephone number, social
security number, make of your automobile, house address,
etc.
- Don't use a password
of all digits or all the same letter.
- Don't use a word
contained in English or foreign language dictionaries,
spelling lists, acronym or abbreviation lists, or other
lists of words.
- Don't use a password
containing fewer than six characters.
- Don't give your
password to another person for any reason.
- Do use a password
with mixed-case characters (where supported).
- Do use a password
containing non-alphabetic characters (digits and/or
punctuation)
- Do use a password
that is easy to remember, so that you don't need to write it
down.
- Do use a password
that you can type quickly, without having to look at the
keyboard.
There are a variety of
mechanisms that people can use to create passwords that adhere
to these guidelines. One such mechanism to choose some
well-known expression, song lyric, or dialogue, and derive the
password from the first letter of each word. For example, the
phrase To be or not to be; that is the question might be
the basis for the password 2bon2bTIT?. This password has
mixed case using alpha, numeric, and punctuation characters, and
is longer than 6 characters in length. Another scheme is to
alternate between one consonant and one or two vowels, up to
seven or eight characters; this creates nonsense words that are
usually pronounceable and, therefore, easy to remember.
Alternatively, choose two or more short words and concatenate
them, with a punctuation character between them.
Some systems use programs that
automatically generate passwords; in some cases, they even
generate usernames. These systems are met with varying opinions
by computer security experts. On one hand, the random passwords
generated by a program are nearly impossible to guess or attack
via a dictionary approach. On the other hand, they are usually
so difficult to remember that users have to write them down,
yielding another security problem. These systems also usually do
not allow users to change their password, but periodically
assign a new, random password.
Some sites use a program to
assign both usernames and passwords. The username is some
arithmetic function of the user's real name, employee number,
date of birth, and/or other identifier, so that Pat Jones might
be assigned a username zx2Haqqt. This form of assignment
just exacerbates the problem; Pat is almost sure to write down
both username and password on a piece of paper stuck to
the computer! While there is really no need to keep the username
secret since that becomes known as soon as the person sends
their first e-mail message, it does suggest that electronic mail
identifiers should be different from network usernames, where
possible.
There is a related problem and
that is that individuals have too many passwords. One
reason for this is because of the World Wide Web (WWW). An
increasing number of Web sites ask users to register, requesting
both a username and password. Since most of these registrations
are free, and only used for marketing purposes rather than
security, the result is a proliferation of passwords. Some users
use the same password for every location; but if one password is
compromised, all are. Others choose a different password at
every site, and eventually have to write them down. Neither is a
good solution.
Password Weaknesses And
Attacks
Passwords are a weak form of
protection for many reasons. One major reason is that passwords
depend on the weakest link in the computer and network security
chain; namely, the human user. Most users think that security
procedures are either a joke, the cloak-and-dagger stuff of
system and network administrators, and/or due to paranoia. As a
result, they do not pay sufficient attention to wisely choosing
passwords nor protecting them.
There are several ways in which
an intruder can attack password-protected systems. The most
common form of attack is password guessing. People often
choose their own name, username, telephone number, or some
variant as their password; next, they choose the name of family
members or friends, pets, special interests, or some variant.
And how does an attacker find this information? In many cases,
it's easy. The Finger utility, a known security weakness waiting
to be exploited, displays the status of all currently active
users complete with username, one item of information that an
attacker cannot do without. Finger listings1
also display the users' real name; the PLAN.TXT and PROJECT.TXT
files often supply additional personal information with which an
intruder can launch a password guessing attack, as well as
information about the last login. Many individual's WWW pages
supply even more personal information.
It is also surprising how many
sites choose obvious passwords for some accounts or do not
change the factory settings on some accounts. In Digital's
VAX/VMS systems, for example, the SYSTEM and FIELD accounts come
with the pre-defined passwords MANAGER and SERVICE,
respectively. System manager courses and field service personnel
advise the system administrator to change both passwords and
even to disable them when not in use; these simple precautions
are often ignored.2
Many systems even supply a GUEST account with no password, but
do not strictly limit the capabilities of that account.
The normal defense against
password-guessing attacks is a feature called blacklisting,
which limits the number of consecutive unsuccessful login
attempts. In a typical implementation, a login attempt
counter is set to zero after a successful login and incremented
after any unsuccessful login attempt. If the counter ever
reaches the blacklist threshold (usually between 3 and 7),
account login is disabled even if the correct password is
supplied.
Intruders can use blacklisting
as the basis for another form of attack. Even if they cannot
break into a system, attackers can effectively deny service to
users with a blacklist attack, where the attacker can
effectively disable many (or all) users by purposely
blacklisting them. To prevent system-level accounts from being
blacklisted by an attacker, most operating systems allow logins
to system accounts from the operator's console regardless of the
account's blacklist status.
A second possible attack is to
steal a system's password file, an amazingly simple thing to do
if the file is not assigned the correct access protection. While
passwords are almost always stored in some encrypted or hash
form in the file, they are still susceptible to attack via a dictionary
attack, where a large number of words are encrypted using
the operating systems' encryption scheme in an effort to find a
match in the password file. Some studies suggest that there is a
99 percent chance of successfully cracking at least one password
in a file containing as few as 16 passwords. With today's
high-speed processors available on the desktop at modest cost,
nearly anyone with a spell checker can launch a dictionary
attack.
Along these lines, it is
important to note that the length of a password is not the major
factor in determining how good it is. Most users today still
choose passwords containing only lowercase letters, most often
forming a word or string of words. These types of passwords are
the most susceptible to a dictionary attack.
Another form of attack is
called login spoofing, and can be particularly successful
in public terminal rooms at educational institutions. In this
scenario, the attacker runs a program that displays what appears
to be a legitimate login message. When another user attempts to
login, the programs makes the usually queries for the username
and password, writes the information to a file, displays an
"Invalid login" message, and then logs the attacker
out. The legitimate user, thinking that they must have made a
typographical error, tries again to login and succeeds. This
attack works often and, if lucky, the attacker finds a user who
has a high level of system privilege.
A fourth attack is to actually
monitor the traffic between the user and computer. If this
attack is used, the attacker may be able to find usernames and
passwords in plain text. In a local network, this form of attack
requires that the intruder gain physical access to the
communications lines or wiring closet; on the Internet, an
intruder may just need to monitor the packets used for Telnet,
the WWW, or other passworded accounts.
After obtaining legitimate
usernames and passwords, the attacker can engage in a replay
attack, where the attacker resends the valid authentication
information to a target system to gain entry. Any system that
uses constant identification and/or authentication information
is susceptible to such as attack.
Bellcore's S/KEY™ system was
designed to counter such a replay attack. In S/KEY, a user
chooses a secret passphrase from which a well-known algorithm
generates the desired number of simple passwords. Each generated
password is a word that one to four letters in length and each
generated password is dependent on the previously generated
password. When a user attempts to login to a host, the host
issues a challenge based on the password last used by this user;
the client replies with the password in the sequence. With this
scheme, an intruder can neither guess or calculate the next
password in the sequence nor will a replay attack succeed. There
are several S/KEY-compatible one-time password implementations
in existence and these are starting to be more widely deployed
in the Internet.
As it turns out, the simplest
approach to obtaining passwords is often the easiest. Attackers
frequently learn other users' passwords by simply asking for
them, either through e-mail, on the phone, or in an on-line chat
room. Often purporting to be a "network security
officer," an attacker will ask a user for their password
"for verification" purposes. Although nearly all
system administrators tell users that they will never be asked
for their password in this way, some users will divulge their
passwords without thinking twice. An intruder might also call
the system manager posing as a user who has forgotten their
password and ask for a new one; such requests should never be
satisfied without positively identifying the caller.
Alternatively, intruders have
been known to send e-mail to an intended "target" user
notifying them that there has been a security breach and that
they should change their password to some particular value
"for security reasons." Many users, thinking that they
are doing what's best for the system, will comply with these
requests.
How Many Characters Do You
Need For A Safe Password?
Since almost all computer
systems store passwords in some encrypted form, think of the
password as a key to a cryptographic system. Cryptographic
systems provide more security as the key size grows, suggesting
that passwords are more secure as they grow longer. There is
some truth in this observation. However, a longer password is
not as strong when compared to a shorter password as one might
think. This is due to the limitations imposed by some computer
systems and the way in which people choose their passwords.
Consider the following example
[Cheswick & Bellovin]. Most Unix systems limit passwords to
eight characters in length, or 64 bits. But Unix only uses the
seven significant bits of each character as the encryption key,
reducing the key size to 56 bits. But even this is not as good
as it might appear because the 128 possible combinations of
seven bit per character are not equally likely; users usually do
not use control characters or non-alphanumeric characters in
their passwords. In fact, most users only use lowercase letters
in their passwords (and some password systems are
case-insensitive, in any case). The bottom line is that ordinary
English text of 8 letters has an information content of about
2.3 bits per letter, yielding an 18.4-bit key length for an
8-letter passwords composed of English words. Many people choose
names as a password and this yields an even lower information
content of about 7.8 bits for the entire 8-letter name. As
phrases get longer, each letter only adds about 1.2 to 1.5 bits
of information, meaning that a 16-letter password using words
from an English phrase only yields a 19- to 24-bit key, not
nearly what we might otherwise expect.
TABLE 1.
Number of Keys Possible With Various Password Lengths and
Character Set Constraints.
| Character
Set |
Password
Length |
| 4-octet |
5-octet |
6-octet |
7-octet |
8-octet |
| Lowercase letters (26) |
4.6x105 |
1.2x107 |
3.1x108 |
8.0x109 |
2.1x1011 |
| Lowercase letters/digits
(36) |
1.7x106 |
6.0x107 |
2.2x109 |
7.8x1010 |
2.8x1012 |
| All alphanumeric
characters (62) |
1.5x107 |
9.2x108 |
5.7x1010 |
3.5x1012 |
2.2x1014 |
| Printable characters
(95) |
8.1x107 |
7.7x109 |
7.4x1011 |
7.0x1013 |
6.6x1015 |
| 7-bit ASCII characters
(128) |
2.7x108 |
3.4x1010 |
4.4x1012 |
5.6x1014 |
7.2x1016 |
| 8-bit ASCII characters
(256) |
4.3x109 |
1.1x1012 |
2.8x1014 |
7.2x1016 |
1.8x1019 |
Tables 1 and 2, derived from [Schneier],
offer another way to look at the situation. Table 1 shows the
possible number of keys generated with a 4-, 5-, 6-, 7-, and
8-octet password given different constraints on the input. Table
2 provides the amount of time required to perform an exhaustive
search of all possible keys with a processor able to examine one
million keys per second. Clearly, while longer passwords provide
better protection than shorter ones, passwords that use a wider
combination of possible bit combinations are better than ones
that are highly constrained.
TABLE 2. Amount
of Time to Search All Possible Keys (at 1 million
keys/second).
| Character
Set |
Password
Length |
| 4-octet |
5-octet |
6-octet |
7-octet |
8-octet |
| Lowercase letters (26) |
0.5 sec. |
12 sec. |
5.2 min. |
2.2 hours |
2.4 days |
| Lowercase letters/digits
(36) |
1.7 sec. |
1 min. |
36.7 min. |
21.7
hours |
32.4 days |
| All alphanumeric
characters (62) |
15 sec. |
15 min. |
15.8
hours |
40.5 days |
7 years |
| Printable characters
(95) |
1.4 min. |
2.1 hours |
8.6 days |
2.2 years |
209 years |
| 7-bit ASCII characters
(128) |
4.5 min. |
9.4 hours |
50.9 days |
17.8
years |
2283
years |
| 8-bit ASCII characters
(256) |
1.2 hours |
12.7 days |
8.9 years |
2283
years |
570,776
years |
These tables show why a secret
that has 64 bits of randomness is generally thought to be
secure; it is computationally infeasible to search 264
possible keys. And how many characters does a password need to
generate a 64-bit key?
- If random characters from
the set of alphanumerics are used, an 11-character password
would be necessary. Unfortunately, users are unlikely to
memorize a randomly selected 11-character string.
- If pronounceable passwords
are chosen, each character contributes about 4 bits to the
key size, so a 16-character password would do. This, too, is
a much longer password than people will memorize.
- If people are allowed to
select their own password, conventional wisdom says that
each character contributes only 2 bits, so passwords would
have to be 32 characters in length. This is also too long.
So what can we conclude? It is
that any secret — a password, in this case — that most
people will memorize and type in on a regular basis will not be
as good as a 64-bit random number. Therefore, passwords will be
open to guessing attacks of one form or another.
Conclusion And Summary
While passwords are a weak form
of protection, their simplicity makes them easy to use and
administer. If users are convinced of their worth, appropriate
education provided, and a little care taken, passwords can
provide adequate protection. Note also that passwords are a form
of 'what you know' security; while vulnerable to attack when
used alone, they are quite powerful when used in combination
with 'what you have' (e.g., identification card) or 'what you
are' (e.g., hand scan or voice print) systems.
System and network
administrators must create policies and procedures for site
security, including password administration. Users must be made
aware of these policies, the motivation for them, and
consequences of non-compliance. It is imperative to remember
that widespread success is not necessary with respect to
password attacks; with hundreds of thousands of computers on the
Internet that each have hundreds or thousands of user accounts,
a knowledgeable intruder only needs a few successful entry
points to cause significant damage.
References
Cheswick, W.R. and S.M.
Bellovin. Firewalls and Internet Security: Repelling the Wily
Hacker. Reading (MA): Addison-Wesley, 1994.
Cohen, F.B. Protection and
Security on the Information Superhighway. New York: John
Wiley & Sons, 1995.
Department of Defense. Password
Management Guidelines. CSC-STD-002-85, 12 April 1985.
Haller, N. The S/KEY
One-Time Password System. RFC 1760. Bellcore. February 1995.
_____ and R. Atkinson. On
Internet Authentication. RFC 1704. Bellcore and the Naval
Research Laboratory. October 1994.
Holbrook, P. and J. Reynolds,
Editors. Site Security Handbook. FYI 8/RFC 1244, CICNet
and ISI, July 1991.
Kaufman, C., R. Perlman, and M.
Speciner. Network Security: Private Communication in a Public
World. Englewood Cliffs (NJ): Prentice Hall PTR, 1995.
Schneier, B. Applied
Cryptography: Protocols, Algorithms, and Source Code in C,
2nd ed. New York, John Wiley & Sons, 1996.
Stoll, C. The Cuckoo's Egg:
Tracking a Spy Through the Maze of Computer Espionage. New
York: Doubleday, 1989.
Footnotes
- A
discussion of the Finger daemon is beyond the scope of this
chapter. Nevertheless, it is worth mentioning that many
sites disable this daemon or alter the program so that it
only displays a text file that contains a standard welcome
message rather than live user statistics. Some sites display
bogus user information here and track whether any login
attempts are made to any of these user accounts, a sure sign
of a potential attack rather than a bona fide error. (Return
to main text.)
- If you
don't believe this, read Stoll's The Cuckoo's Egg. (Return
to main text.)
|
