newbie: passwords
date: 8.2.99

A guide to using and selecting secure passwords.

What is a 'password'?

Passwords are one form of user authentication. This means the system
relies on something you know to validate who is logging onto the server.
This works based on the idea of each user having a unique login, and
a secret password that only they know. Under this model, the system
verifies your password and knows it is truly you logging in.

The problem with this, is that the unix system assumes only you have
your password. It does not make provisions or understand that you
may not be the only one with your password. Some examples of why
you may not be the only one include:

	*  Writing it down and losing the paper

	*  Someone watching your keystrokes as you log in

	*  A network intruder snooping your password via technical means

	*  Someone guessing your password

With that in mind, it is apparent that you need to have a secret password,
that only you know, that can not be guessed. Your administrator is 
responsible for the security of your system and helping prevent network
intruders from gaining your password. However, it is EVERYONE'S 
responsibility on the system.

Why is my password so important?

Many people wonder why a single password is such a big deal. What they
often fail to realize is how intruders work, and where they start. The
following chain of events will hopefully help illustrate the severity
of a single password:

	John from accounting writes his password down near his workstation.

	Joe from engineering sees the password and writes it down for later.

	Late one night, Joe logs into the accounting machine
	using John's account and password.

	Using a well known exploit, Joe is able to gain 'root'
	priviledges on the accounting machine. With these privs,
	Joe is able to view all files on the system including payroll,
	billing and more.

	Using the illgotten privs, Joe sets up a network sniffer
	to monitor all traffic on the Local Area Network (LAN).

	Watching this traffic, Joe is able to view login names and
	passwords to almost every machine on the network. Hundreds
	of machines are compromised.

	Using a 'sniffed' login and password, Joe logs into one of
	R&D's computers. Repeating the same steps, Joe is now able
	to view traffic going from his company to and from a
	research partner in Europe.

The steps above represent the progression an attacker can make, all stemming
from a single login and password. When using the unix system, you must be
mindful that your account can be a key to the kingdom. To further illustrate
the concern, here are a few other things an intruder may do with your
account alone:

	Use your account to break into other machines, leaving a trail
	that points to YOU doing the crime.

	Use your account to annoy, harass and threaten other users on
	the internet.

	Use your account to traffic in questionable or illegal material
	such as pornography or stolen software.

	Read your personal email and files.

These elements alone should encourage you to protect your account. If nothing
else, you are covering your own ass ;)

What's in a password?

A standard unix password can be up to eight characters. It may 
contain numbers, letters, and most special characters.

Some of the available characters:
	abcdefghijklmnopqrstuvwxyz
	ABCDEFGHIJKLMNOPQRSTUVWXYZ
	1234567890
	!@#$%^&*()_+-=[]{};':",./?


Elements of a secure password

What are the elements of a good password? First, lets list some things
your password should NOT be.

	* Any word in any language or dictionary (english, spanish, german)
	* Words with one alteration (4play, look@, this1)
	* Any name (john, jane, brenda, fred)
	* All upper or lowercase words (PARTY, tricky, SECURE)
	* Sequences [keyboard, alpha, numeric] (qwerty, asdfg, bcdefg, 123456)
	* Words with missing letters (hvywght, lsrbm, cmptr)
	* 'elite speak' [number substitution] (pr0j3ct, k3yb04rd)

What are some elements of a good password if I can't use any of that?!

	* Use a combination of letters, numbers, special characters,
	  upper and lower case
	* A password that is not used anywhere else
	* Minimum of 7 characters
	* At least one uppercase letter, one lowercase letter,
	  one number, one special character

To illustrate why you should follow these guildelines, lets look at 
a popular utility called Crack that intruders might use to guess your 
password. Since the unix password function is a one way function,
the program can not truly break the encrypted string. Instead, these
programs use a huge list of words and encrypts each one using the
same function. From there, it simply compares each encrypted word
to your encrypted word. When it finds a match, it has successfully
guessed your password.

For example: If you chose the password "$hEllo!", it may look like
"Vz0uAiTtjVL1g" once encrypted. So Crack will go through each of the
words in its dictionary, try each rule on each word, and attempt
to guess your password. Once it finds "Vz0uAiTtjVL1g", it matches
it with your password and reports a successfully cracked password.

The following list contains some of the rules Crack tries while 
attempting to guess the password. These should illustrate how
thorough and comprehensive the cracking effort can be.

  * Prepend a character to each word (alpha -> 1alpha)
  * Append a character to each word (alpha -> alpha1)
  * Delete first character from word (alpha -> lpha)
  * Delete last character from word (alpha -> alph)
  * Reverse each word (alpha -> ahpla)
  * Duplicate each word (alpha -> alphaalpha)
  * Reflect each word (alpha -> alphaahpla)
  * Uppercase each word (alpha -> ALPHA)
  * Lowercase each word (AlPhA -> alpha)
  * Capitalise each word (alpha -> Alpha)
  * N-Capital each word (alpha -> aLPHA)
  * Pluralise each word (alpha -> alphas)
  * Toggle case in each word (AlpHa -> aLPhA)
  * Reject the word unless N long 
  * Reject the word unless longer than N
  * Replace all instancs of X with Y (a/b  alpha -> blphb)
  * Use substring (2-4  alpha -> lph)
  * Insert characters (#  alpha -> al#pha)
  * Purge characters (p  alpha -> alha)

Hopefully this illustrates how serious people are to guess passwords. ;)

Examples of good passwords

Despite the rules listed above, it is possible to pick secure passwords
that are easy to remember! The trick is to use a word that is easy 
to remember for one reason or another. This is easiest with word
association. Listed below are some examples, but PLEASE don't use
these! No doubt they are in some word dictionaries!

Example:	Three Blind Mice
Password:	3-BLmIc3

Example:	Phoenix Arizona
Password:	PHoeN$AZ

Example:	Dinner Meeting
Password:	yUm@WOrK


When should I change my password?

	* You have had the same one for more than thirty days..

	* You have told it to anyone (even Mom) or have written 
	  it down anywhere..

	* You have logged onto a system from another system 
	  using unencrypted communication.

	* You are notified that the password is weak by your 
	  system admin..

Additional resources on password security
UNIX Password Security by Walter Belgers
This is a well written paper outlining not only the importance of
secure passwords, but a more technical description of the unix password
schemes and more.

More on:
password guessing
password sniffing
social engineering


jericho@attrition.org (c) copyright 1998, 1999 Brian Martin