Sarasota PC Monitor
Practicing the Black Art (06/03)
The Password Dilemma
by Vinny La Bash, vlabash@home.com
Member of the Sarasota Personal Computer Users Group, Inc.Passwords have been around for centuries. For most of that time relatively few people wanted or needed them.
Today they are required for Web sites, ATM pin numbers, and for your computers at home and at work. Can you remember them all? Do you use different passwords or just one password for everything?
Passwords are meant for protection. A well constructed, properly implemented password will offer good security against those who could and would do you harm. There are many well-known rules for choosing and using passwords that actually reduce your security, and the Internet through its sheer size and usefulness has compounded the password dilemma. Let's examine the risks and benefits associated with well-known password rules.
These rules were designed to increase the security of password authentication. In reality, password authentication can never provide a high degree of security except in limited situations involving a small group of security conscious and highly motivated (even fanatical) individuals. Sophisticated rules provide the illusion of security because most people rely on risky behavior to make the password system work reliably. We have attempted to illustrate this by several examples below. There is no Password Genie.
1. All Passwords must be memorized.
Why you should:
This is the very essence of password protection. It associates the person who knows the password with permission to use a computer system. If the password is written down instead of being memorized, then authentication relies on access to the piece of paper containing the password. This is much harder for a person to control. People rarely shout out their passwords where the bad guys will hear them. That's why hackers search for written passwords, much like safecrackers always search for a written combination and often find one.
Why you shouldn't:
Human memory is fallible, and this shows up in office environments that often provide access to computers where user names and passwords are selected by an administrator and distributed to those who need it. This eliminates the opportunity for individuals to choose an easily remembered password. In some cases, administrators distribute access information to new users via e-mail, which is a written medium with its own security issues.
2. All Passwords must be at least six characters long.
Why you should:
There are many ways to crack a password. One of them is trial-and-error. If an attacker uses this kind of attack against you, a longer password forces the attacker to try a larger number of alternatives. Most standard keyboards will provide at least 96 different characters between upper and lower case. If each character in the password can take on 96 different values then each additional character presents the attacker with 96 times as many passwords to try. If the number of alternatives is large enough, the trial-and-error attack might discourage the attacker or lead to the attacker's detection.
Why you shouldn't:
Passwords consisting solely of plain text are at great risk if a hacker launches a sniffing attack. Many people use plain text passwords, but if the authentication system keeps track of the number of incorrect attempts, then it will detect trial-and-error attacks on passwords after a few guesses. If there is any attempt to automate the guessing, the likelihood of the attempts being noticed in log files increases significantly. However, an attacker who has physical access to a computer or to its internal communication links, can successfully defeat the computer without having to guess its password.
The Personal Identification Number (PIN) used on typical Automated Teller Machines (ATMs) contains only four digits. The 4-digit PIN seems to work well enough in the banking environment, and the assets they protect are far more important to most people than the assets protected by their computer passwords. Successful attacks on ATM cards rarely involve trial-and-error PIN guessing. A four digit PIN number using numerical values has 10,000 different possibilities ranging from 0000 to 9999. Take a minute to figure out how long it would take someone to run through all possible combinations while standing at an ATM machine without attracting attention.
Most people are likely to consider their Buy.com, Amazon.com or other online retail account that includes credit card numbers more important than the password to a Hotmail, Yahoo or other secondary web-based e-mail account.
3. The password should contain a combination of upper and lowercase letters, digits, and punctuation or other special characters.
Why you should:
Choosing the password from a larger number of characters will produce a broader range of possible passwords within a given password length. Please refer to Item 2.
Why you shouldn't:
It is difficult for most people to memorize a string of unintelligible, meaningless characters. The problem is compounded if there is more than one password to memorize, and the longer the password, the greater the difficulty.
If a person chooses a familiar word as a password and then substitutes various digits and other characters for the usual letters, then the person must successfully memorize this substitution, or the password will be forgotten. This isn't as hard as memorizing a random string of characters, but it still requires concentration.
4. The password should not be a word that appears in a dictionary.
Why you should:
Windows stores and transmits passwords in a self-encrypted form called a "hash." After the password is supplied to the system, an encryption algorithm creates a string of gibberish (hash) which is saved. During the next log in the password goes through the same encryption process, and if the result equals the saved hash, entry is granted. Regardless of operating system and method of encryption, the basic approach is essentially the same for all computer platforms. Attackers can reverse the hash through a computationally intensive trial-and-error process that can quickly run through millions of possible guesses for a password. Typically these attacks use a dictionary, and such attacks succeed in many cases. If the password doesn't appear in a dictionary, then such an attack won't find it.
Why you shouldn't:
Refer to items 2 and 3.
5. You must use a different password for every computer that requires one.
Why you should:
The most important reason is that you have no way of knowing what kind of security exists on a web site. Not all computer systems provide the same level of security for their passwords. If someone gains access to your password from a weak system, they can use it to masquerade as you elsewhere. Can you say "Identity Theft"?
Why you shouldn't:
It is not unusual for people today to work with several separate computer systems, and these systems often demand passwords for authentication. Some people end up with dozens of separate computer accounts which, according to this rule, would each require their own password. Few people have a memory proficient enough to keep all of those passwords straight.
6. Passwords must be replaced periodically.
Why you should:
If an attacker has access to your password and abuses it, you will prevent further abuse once the password has been changed. If an attacker mounts a systematic trial-and-error attack on your existing password, changing to another password means the attacker has to start all over again.
Why you shouldn't:
People are more likely to remember something they use regularly. If they have to change their password regularly, then they're constantly working at memorizing a new one. This leads them to write the passwords down.
When people are forced to choose a new password periodically, they often do so by inserting a number into the password. For example, a lazy user might create candy1bar, candy2bar, candy3bar and so on. Attackers can easily guess the current password if they intercept one of these "expired" passwords. This practice greatly reduces the security of periodically replacing a password.
7. Never use the same password twice, especially when periodically changing your password.
Why you should:
Human history has shown that secrets often fail to remain secret for long. Therefore, it's prudent to change from one password to another from time to time. Change your password about every six weeks. Trial-and-error attacks on passwords take time, and you can outsmart some hackers if you change your password before they've tried all of the possibilities. If their attack is against a cryptographically protected copy of your password, then they'll have to start the attack all over again.
Why you shouldn't:
Since people have a hard time remembering random bits of information over long periods of time, some of them will write down these new passwords. This often produces a list, and the list is usually stored somewhere that's easy to find. Some people put a Post-it sticker on their monitor with the password on it. They may as well post a sign saying "Welcome Thieves".
People who don't keep a list will often use a sequence of passwords as illustrated in the candy1bar example above. If a hacker intercepts one of these, he or she can easily guess the correct password even if it was changed several times since being stolen.
Password Tip: To create and easily remember a long, "nonsense" password, take a phrase or sentence and use only the first letter of each word. I once used PMBWFDLJ as my password. It stood for "Pack My Box With Five Dozen Liquor Jugs".
This is a superior technique for creating long passwords without using dictionary words. A bonus is that they are easy to remember. A clever thief could obviously run an attack against a list of common phrases, proverbs or sayings, so it pays to be obscure.
An anonymous hacker says "system operators generally prefer God as a password. Women over fifty tend to use the names of pets, children, or grandchildren." Here is how some of us welcome hackers to hack us. Curiously, "welcome" is a common password used by many web-hosting clients.
In addition to God and welcome, the five most commonly used passwords are "love, sex, secret, unknown, and default".
Forty percent of all passwords can be cracked within three minutes. Creating good passwords and changing them frequently is paramount for your security. This is fine for your personal security, but what happens if you become incapacitated or die? Will your spouse or heirs be able to access important information and have access to funds for day-to-day expenses? You may want to make up a list of accounts and passwords and keep them in a safe place, known only to those who need to know in case you are no longer able to function. Prudent people have life insurance to protect loved ones who depend on them. Should they not have the foresight to provide password "insurance" as well? :
Return to Vinny La Bash's Index
Copyright 2003. This article is from the June 2003 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication. We would appreciate receiving a copy of the publication the reprint appears in, please send to above address, Attn: Editor. For further information about our group, email: admin@spcug.org/ Web: http://www.spcug.org/
The Sarasota Personal Computer Users Group, Inc. has 1,100+ members and was established in 1982. We are members of the Assoc. of PC User Groups (APCUG), the Florida Assoc. of PC Users Groups, Inc., and we are members of the America Online Ambassador Program.
See http://www.spcug.org for all reviews from the Sarasota PC Monitor, go to the Newsletter Section.