newbie: passwords date: 8.2.99 A guide to using and selecting secure passwords. What is a 'password'? Passwords are one form of user authentication. This means the system relies on something you know to validate who is logging onto the server. This works based on the idea of each user having a unique login, and a secret password that only they know. Under this model, the system verifies your password and knows it is truly you logging in. The problem with this, is that the unix system assumes only you have your password. It does not make provisions or understand that you may not be the only one with your password. Some examples of why you may not be the only one include: * Writing it down and losing the paper * Someone watching your keystrokes as you log in * A network intruder snooping your password via technical means * Someone guessing your password With that in mind, it is apparent that you need to have a secret password, that only you know, that can not be guessed. Your administrator is responsible for the security of your system and helping prevent network intruders from gaining your password. However, it is EVERYONE'S responsibility on the system. Why is my password so important? Many people wonder why a single password is such a big deal. What they often fail to realize is how intruders work, and where they start. The following chain of events will hopefully help illustrate the severity of a single password: John from accounting writes his password down near his workstation. Joe from engineering sees the password and writes it down for later. Late one night, Joe logs into the accounting machine using John's account and password. Using a well known exploit, Joe is able to gain 'root' priviledges on the accounting machine. With these privs, Joe is able to view all files on the system including payroll, billing and more. Using the illgotten privs, Joe sets up a network sniffer to monitor all traffic on the Local Area Network (LAN). Watching this traffic, Joe is able to view login names and passwords to almost every machine on the network. Hundreds of machines are compromised. Using a 'sniffed' login and password, Joe logs into one of R&D's computers. Repeating the same steps, Joe is now able to view traffic going from his company to and from a research partner in Europe. The steps above represent the progression an attacker can make, all stemming from a single login and password. When using the unix system, you must be mindful that your account can be a key to the kingdom. To further illustrate the concern, here are a few other things an intruder may do with your account alone: Use your account to break into other machines, leaving a trail that points to YOU doing the crime. Use your account to annoy, harass and threaten other users on the internet. Use your account to traffic in questionable or illegal material such as pornography or stolen software. Read your personal email and files. These elements alone should encourage you to protect your account. If nothing else, you are covering your own ass ;) What's in a password? A standard unix password can be up to eight characters. It may contain numbers, letters, and most special characters. Some of the available characters: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 1234567890 !@#$%^&*()_+-=[]{};':",./? Elements of a secure password What are the elements of a good password? First, lets list some things your password should NOT be. * Any word in any language or dictionary (english, spanish, german) * Words with one alteration (4play, look@, this1) * Any name (john, jane, brenda, fred) * All upper or lowercase words (PARTY, tricky, SECURE) * Sequences [keyboard, alpha, numeric] (qwerty, asdfg, bcdefg, 123456) * Words with missing letters (hvywght, lsrbm, cmptr) * 'elite speak' [number substitution] (pr0j3ct, k3yb04rd) What are some elements of a good password if I can't use any of that?! * Use a combination of letters, numbers, special characters, upper and lower case * A password that is not used anywhere else * Minimum of 7 characters * At least one uppercase letter, one lowercase letter, one number, one special character To illustrate why you should follow these guildelines, lets look at a popular utility called Crack that intruders might use to guess your password. Since the unix password function is a one way function, the program can not truly break the encrypted string. Instead, these programs use a huge list of words and encrypts each one using the same function. From there, it simply compares each encrypted word to your encrypted word. When it finds a match, it has successfully guessed your password. For example: If you chose the password "$hEllo!", it may look like "Vz0uAiTtjVL1g" once encrypted. So Crack will go through each of the words in its dictionary, try each rule on each word, and attempt to guess your password. Once it finds "Vz0uAiTtjVL1g", it matches it with your password and reports a successfully cracked password. The following list contains some of the rules Crack tries while attempting to guess the password. These should illustrate how thorough and comprehensive the cracking effort can be. * Prepend a character to each word (alpha -> 1alpha) * Append a character to each word (alpha -> alpha1) * Delete first character from word (alpha -> lpha) * Delete last character from word (alpha -> alph) * Reverse each word (alpha -> ahpla) * Duplicate each word (alpha -> alphaalpha) * Reflect each word (alpha -> alphaahpla) * Uppercase each word (alpha -> ALPHA) * Lowercase each word (AlPhA -> alpha) * Capitalise each word (alpha -> Alpha) * N-Capital each word (alpha -> aLPHA) * Pluralise each word (alpha -> alphas) * Toggle case in each word (AlpHa -> aLPhA) * Reject the word unless N long * Reject the word unless longer than N * Replace all instancs of X with Y (a/b alpha -> blphb) * Use substring (2-4 alpha -> lph) * Insert characters (# alpha -> al#pha) * Purge characters (p alpha -> alha) Hopefully this illustrates how serious people are to guess passwords. ;) Examples of good passwords Despite the rules listed above, it is possible to pick secure passwords that are easy to remember! The trick is to use a word that is easy to remember for one reason or another. This is easiest with word association. Listed below are some examples, but PLEASE don't use these! No doubt they are in some word dictionaries! Example: Three Blind Mice Password: 3-BLmIc3 Example: Phoenix Arizona Password: PHoeN$AZ Example: Dinner Meeting Password: yUm@WOrK When should I change my password? * You have had the same one for more than thirty days.. * You have told it to anyone (even Mom) or have written it down anywhere.. * You have logged onto a system from another system using unencrypted communication. * You are notified that the password is weak by your system admin.. Additional resources on password security UNIX Password Security by Walter Belgers This is a well written paper outlining not only the importance of secure passwords, but a more technical description of the unix password schemes and more. More on: password guessing password sniffing social engineering
jericho@attrition.org (c) copyright 1998, 1999 Brian Martin