An edited version of this paper appears in Internet and Internetworking Security, J.P. Cavanagh (ed.), published by Auerbach, 1997.
Passwords are the most common form of authentication used to control access to information, ranging from the personal identification numbers we use for automatic teller machines, credit cards, telephone calling cards, and voice mail systems to the more complex alphanumeric passwords that protect access to files, computers, and network servers. Passwords are widely used because they are simple, inexpensive, and convenient mechanisms to use and implement.
At the same time, passwords are also recognized as being an extremely poor form of protection. The Computer Emergency Response Team (CERT) estimates that about 80 percent of the security incidents reported to them are related to poorly chosen passwords. Password problems are very difficult to manage because a single local computer network may have hundreds or thousands of password-protected accounts and only one needs to be compromised to give a attacker an entree to the local system or network. With today's interconnected Internet, the problems are potentially devastating on an even larger scale; a skillful intruder may break into one system and never harm it, using it instead as a platform for attacks on a population of millions of targets.
This chapter will present some guidelines for choosing and managing passwords, and will describe some types of password attacks, and possible precautions and remedies.
Request for Comments (RFC) 1244 offers some guidelines for selecting and maintaining passwords. These guidelines, which should be a part of any site's security handbook, include:
There are a variety of mechanisms that people can use to create passwords that adhere to these guidelines. One such mechanism to choose some well-known expression, song lyric, or dialogue, and derive the password from the first letter of each word. For example, the phrase To be or not to be; that is the question might be the basis for the password 2bon2bTIT?. This password has mixed case using alpha, numeric, and punctuation characters, and is longer than 6 characters in length. Another scheme is to alternate between one consonant and one or two vowels, up to seven or eight characters; this creates nonsense words that are usually pronounceable and, therefore, easy to remember. Alternatively, choose two or more short words and concatenate them, with a punctuation character between them.
Some systems use programs that automatically generate passwords; in some cases, they even generate usernames. These systems are met with varying opinions by computer security experts. On one hand, the random passwords generated by a program are nearly impossible to guess or attack via a dictionary approach. On the other hand, they are usually so difficult to remember that users have to write them down, yielding another security problem. These systems also usually do not allow users to change their password, but periodically assign a new, random password.
Some sites use a program to assign both usernames and passwords. The username is some arithmetic function of the user's real name, employee number, date of birth, and/or other identifier, so that Pat Jones might be assigned a username zx2Haqqt. This form of assignment just exacerbates the problem; Pat is almost sure to write down both username and password on a piece of paper stuck to the computer! While there is really no need to keep the username secret since that becomes known as soon as the person sends their first e-mail message, it does suggest that electronic mail identifiers should be different from network usernames, where possible.
There is a related problem and that is that individuals have too many passwords. One reason for this is because of the World Wide Web (WWW). An increasing number of Web sites ask users to register, requesting both a username and password. Since most of these registrations are free, and only used for marketing purposes rather than security, the result is a proliferation of passwords. Some users use the same password for every location; but if one password is compromised, all are. Others choose a different password at every site, and eventually have to write them down. Neither is a good solution.
Passwords are a weak form of protection for many reasons. One major reason is that passwords depend on the weakest link in the computer and network security chain; namely, the human user. Most users think that security procedures are either a joke, the cloak-and-dagger stuff of system and network administrators, and/or due to paranoia. As a result, they do not pay sufficient attention to wisely choosing passwords nor protecting them.
There are several ways in which an intruder can attack password-protected systems. The most common form of attack is password guessing. People often choose their own name, username, telephone number, or some variant as their password; next, they choose the name of family members or friends, pets, special interests, or some variant. And how does an attacker find this information? In many cases, it's easy. The Finger utility, a known security weakness waiting to be exploited, displays the status of all currently active users complete with username, one item of information that an attacker cannot do without. Finger listings1 also display the users' real name; the PLAN.TXT and PROJECT.TXT files often supply additional personal information with which an intruder can launch a password guessing attack, as well as information about the last login. Many individual's WWW pages supply even more personal information.
It is also surprising how many sites choose obvious passwords for some accounts or do not change the factory settings on some accounts. In Digital's VAX/VMS systems, for example, the SYSTEM and FIELD accounts come with the pre-defined passwords MANAGER and SERVICE, respectively. System manager courses and field service personnel advise the system administrator to change both passwords and even to disable them when not in use; these simple precautions are often ignored.2 Many systems even supply a GUEST account with no password, but do not strictly limit the capabilities of that account.
The normal defense against password-guessing attacks is a feature called blacklisting, which limits the number of consecutive unsuccessful login attempts. In a typical implementation, a login attempt counter is set to zero after a successful login and incremented after any unsuccessful login attempt. If the counter ever reaches the blacklist threshold (usually between 3 and 7), account login is disabled even if the correct password is supplied.
Intruders can use blacklisting as the basis for another form of attack. Even if they cannot break into a system, attackers can effectively deny service to users with a blacklist attack, where the attacker can effectively disable many (or all) users by purposely blacklisting them. To prevent system-level accounts from being blacklisted by an attacker, most operating systems allow logins to system accounts from the operator's console regardless of the account's blacklist status.
A second possible attack is to steal a system's password file, an amazingly simple thing to do if the file is not assigned the correct access protection. While passwords are almost always stored in some encrypted or hash form in the file, they are still susceptible to attack via a dictionary attack, where a large number of words are encrypted using the operating systems' encryption scheme in an effort to find a match in the password file. Some studies suggest that there is a 99 percent chance of successfully cracking at least one password in a file containing as few as 16 passwords. With today's high-speed processors available on the desktop at modest cost, nearly anyone with a spell checker can launch a dictionary attack.
Along these lines, it is important to note that the length of a password is not the major factor in determining how good it is. Most users today still choose passwords containing only lowercase letters, most often forming a word or string of words. These types of passwords are the most susceptible to a dictionary attack.
Another form of attack is called login spoofing, and can be particularly successful in public terminal rooms at educational institutions. In this scenario, the attacker runs a program that displays what appears to be a legitimate login message. When another user attempts to login, the programs makes the usually queries for the username and password, writes the information to a file, displays an "Invalid login" message, and then logs the attacker out. The legitimate user, thinking that they must have made a typographical error, tries again to login and succeeds. This attack works often and, if lucky, the attacker finds a user who has a high level of system privilege.
A fourth attack is to actually monitor the traffic between the user and computer. If this attack is used, the attacker may be able to find usernames and passwords in plain text. In a local network, this form of attack requires that the intruder gain physical access to the communications lines or wiring closet; on the Internet, an intruder may just need to monitor the packets used for Telnet, the WWW, or other passworded accounts.
After obtaining legitimate usernames and passwords, the attacker can engage in a replay attack, where the attacker resends the valid authentication information to a target system to gain entry. Any system that uses constant identification and/or authentication information is susceptible to such as attack.
Bellcore's S/KEY system was designed to counter such a replay attack. In S/KEY, a user chooses a secret passphrase from which a well-known algorithm generates the desired number of simple passwords. Each generated password is a word that one to four letters in length and each generated password is dependent on the previously generated password. When a user attempts to login to a host, the host issues a challenge based on the password last used by this user; the client replies with the password in the sequence. With this scheme, an intruder can neither guess or calculate the next password in the sequence nor will a replay attack succeed. There are several S/KEY-compatible one-time password implementations in existence and these are starting to be more widely deployed in the Internet.
As it turns out, the simplest approach to obtaining passwords is often the easiest. Attackers frequently learn other users' passwords by simply asking for them, either through e-mail, on the phone, or in an on-line chat room. Often purporting to be a "network security officer," an attacker will ask a user for their password "for verification" purposes. Although nearly all system administrators tell users that they will never be asked for their password in this way, some users will divulge their passwords without thinking twice. An intruder might also call the system manager posing as a user who has forgotten their password and ask for a new one; such requests should never be satisfied without positively identifying the caller.
Alternatively, intruders have been known to send e-mail to an intended "target" user notifying them that there has been a security breach and that they should change their password to some particular value "for security reasons." Many users, thinking that they are doing what's best for the system, will comply with these requests.
Since almost all computer systems store passwords in some encrypted form, think of the password as a key to a cryptographic system. Cryptographic systems provide more security as the key size grows, suggesting that passwords are more secure as they grow longer. There is some truth in this observation. However, a longer password is not as strong when compared to a shorter password as one might think. This is due to the limitations imposed by some computer systems and the way in which people choose their passwords.
Consider the following example [Cheswick & Bellovin]. Most Unix systems limit passwords to eight characters in length, or 64 bits. But Unix only uses the seven significant bits of each character as the encryption key, reducing the key size to 56 bits. But even this is not as good as it might appear because the 128 possible combinations of seven bit per character are not equally likely; users usually do not use control characters or non-alphanumeric characters in their passwords. In fact, most users only use lowercase letters in their passwords (and some password systems are case-insensitive, in any case). The bottom line is that ordinary English text of 8 letters has an information content of about 2.3 bits per letter, yielding an 18.4-bit key length for an 8-letter passwords composed of English words. Many people choose names as a password and this yields an even lower information content of about 7.8 bits for the entire 8-letter name. As phrases get longer, each letter only adds about 1.2 to 1.5 bits of information, meaning that a 16-letter password using words from an English phrase only yields a 19- to 24-bit key, not nearly what we might otherwise expect.
|Character Set||Password Length|
|Lowercase letters (26)||4.6x105||1.2x107||3.1x108||8.0x109||2.1x1011|
|Lowercase letters/digits (36)||1.7x106||6.0x107||2.2x109||7.8x1010||2.8x1012|
|All alphanumeric characters (62)||1.5x107||9.2x108||5.7x1010||3.5x1012||2.2x1014|
|Printable characters (95)||8.1x107||7.7x109||7.4x1011||7.0x1013||6.6x1015|
|7-bit ASCII characters (128)||2.7x108||3.4x1010||4.4x1012||5.6x1014||7.2x1016|
|8-bit ASCII characters (256)||4.3x109||1.1x1012||2.8x1014||7.2x1016||1.8x1019|
Tables 1 and 2, derived from [Schneier], offer another way to look at the situation. Table 1 shows the possible number of keys generated with a 4-, 5-, 6-, 7-, and 8-octet password given different constraints on the input. Table 2 provides the amount of time required to perform an exhaustive search of all possible keys with a processor able to examine one million keys per second. Clearly, while longer passwords provide better protection than shorter ones, passwords that use a wider combination of possible bit combinations are better than ones that are highly constrained.
|Character Set||Password Length|
|Lowercase letters (26)||0.5 sec.||12 sec.||5.2 min.||2.2 hours||2.4 days|
|Lowercase letters/digits (36)||1.7 sec.||1 min.||36.7 min.||21.7 hours||32.4 days|
|All alphanumeric characters (62)||15 sec.||15 min.||15.8 hours||40.5 days||7 years|
|Printable characters (95)||1.4 min.||2.1 hours||8.6 days||2.2 years||209 years|
|7-bit ASCII characters (128)||4.5 min.||9.4 hours||50.9 days||17.8 years||2283 years|
|8-bit ASCII characters (256)||1.2 hours||12.7 days||8.9 years||2283 years||570,776 years|
These tables show why a secret that has 64 bits of randomness is generally thought to be secure; it is computationally infeasible to search 264 possible keys. And how many characters does a password need to generate a 64-bit key?
So what can we conclude? It is that any secret a password, in this case that most people will memorize and type in on a regular basis will not be as good as a 64-bit random number. Therefore, passwords will be open to guessing attacks of one form or another.
While passwords are a weak form of protection, their simplicity makes them easy to use and administer. If users are convinced of their worth, appropriate education provided, and a little care taken, passwords can provide adequate protection. Note also that passwords are a form of 'what you know' security; while vulnerable to attack when used alone, they are quite powerful when used in combination with 'what you have' (e.g., identification card) or 'what you are' (e.g., hand scan or voice print) systems.
System and network administrators must create policies and procedures for site security, including password administration. Users must be made aware of these policies, the motivation for them, and consequences of non-compliance. It is imperative to remember that widespread success is not necessary with respect to password attacks; with hundreds of thousands of computers on the Internet that each have hundreds or thousands of user accounts, a knowledgeable intruder only needs a few successful entry points to cause significant damage.
Cheswick, W.R. and S.M. Bellovin. Firewalls and Internet Security: Repelling the Wily Hacker. Reading (MA): Addison-Wesley, 1994.
Cohen, F.B. Protection and Security on the Information Superhighway. New York: John Wiley & Sons, 1995.
Department of Defense. Password Management Guidelines. CSC-STD-002-85, 12 April 1985.
Haller, N. The S/KEY One-Time Password System. RFC 1760. Bellcore. February 1995.
_____ and R. Atkinson. On Internet Authentication. RFC 1704. Bellcore and the Naval Research Laboratory. October 1994.
Holbrook, P. and J. Reynolds, Editors. Site Security Handbook. FYI 8/RFC 1244, CICNet and ISI, July 1991.
Kaufman, C., R. Perlman, and M. Speciner. Network Security: Private Communication in a Public World. Englewood Cliffs (NJ): Prentice Hall PTR, 1995.
Schneier, B. Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed. New York, John Wiley & Sons, 1996.
Stoll, C. The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. New York: Doubleday, 1989.