Password SecurityCopyright (C) 08/1995 by Howard Fuhs
Passwords or Personal Identification Numbers (PIN) are supposed to increase data security, access control and access protection through consequent use of these simple measures. Despite this it is often the case that the users consider passwords to be cumbersome entities that must be handled in a simple manner: Written on a Post-it sticker and attached to the monitor of the computer, to which the password provides access. Wicked tongues even claim that this is the real reason the Post-its were invented in the first place.
Likewise, PINs are often found written on credit cards and Eurocheque guarantee cards.
Another weakness is the use of too simple passwords, e.g. QWERTY, 12345 or the name of the user - as well as using the same password for access to different Computers or services available to the user in different networks. Thus, when introducing password protection in an organisation it is also necessary to introduce password management at the same time in order to ensure the efficiency and security of the password protection.
When leaving it to the user to choose his own passwords it is necessary to introduce and publish a password policy document which must at least cover the following items:
- Which characters are allowed in a password. Are only letters allowed, or also digits and special characters?
- The minimum length of a password. The absolute minimum that can be recommended is a length of five digits.
- The maximum length of a password. A maximum length of 30 digits is reasonable in most cases.
- Does the system distinguish between capital and lower case letters? It is recommended that it should, because this simple measure increases the number of letter combinations immensely in a straightforward manner.
- Is a combination of digits, letters and special characters allowed, or must such a combination be used? Although passwords consisting of letters alone can be made very secure, experience shows that they most often are not when chosen by humans, so it is recommended to mandate a letter/digit combination at least.
- Definition of invalid passwords, i.e. which passwords users are not allowed to use ( their name, etc.).
- What is the validity of a password, in other words, how long time can a user be allowed to let pass before choosing a new password? Users should be forced to change their passwords every 30 to 90 days to satisfy most security requirements.
- Establishment of a minimum password cycle time, i.e. how long time must have passed before a password is reused. In secure environments a password should never be reused, and users should under no circumstances be allowed to use a repetitive sequence of passwords.
Without a organisationwide password policy it is impossible to establish and continually maintain a sensible password security.
Also in the case of password security user training must be placed in the foreground, because it is the user who has to turn the password policy into action. Even the best security measures do not help if they are not rigidly implemented and adhered to by the users. As part of the regular user education it must be explained, why each password policy statement has been introduced, how passwords are handled correctly, and which particular measures should be observed, particularly to counter things such as social engineering. A list briefly stating the points in question is useful for this purpose. New employees must go through this basic security awareness training before being allowed an account on the corporate network. The training must stress that passwords are not to be written down on stickers or where they can otherwise easily be discovered by others.
The so-called log-in scripts for local area computer networks constitute a great risk, which is still largely unknown in corporations. Log-in scripts are fundamentally designed to facilitate the log-in process when connecting to a network. While logging in manually requires the user to memorise his name, user-ID, password and perhaps even network details, a log-in script can automate this process without the user having to supply any information. This type of script is open to various types of misuse based on gaining unauthorised access to user accounts. Using a Compuserve account as an example will clearly illuminate the dangers.
In order to make it as easy as possible for the user to operate the network software information such as user name, user account number, access Telephone number and user password is specified once and for all in the setup procedure. The fact that passwords are displayed on the screen as a row of asterisks or something similar, does not tell anything about the password storage security built into the system, if any.
All this information is stored in the CIS.INI file, where it is available to a range of programs such as NavCIS, WinCIM, DOSCIM, OS/2CIM, TapCIS, OZCis and the Compuserve dialler providing access to the Intemet. In other words, whoever is able to steal the single file CIS.INI will have full access to the Compuserve account belonging to whoever the file is stolen from.
In the file CIS.INI only an encrypted version of the password is stored. It is nevertheless possible to retrieve the password in clear text. On underground sites on the Intemet, programs are available that will decode the password from CIS.INI files and display it on the screen. Also check out the show command in the script language used with Compuserve access programs.
Once the thief has a valid password and the user name it belongs to, he may gain access to many other interesting things, if the user fails to follow the rule of having different passwords for different applications.
It is important to remember in this connection that ever if the CIS.INI file is deleted from the disk in a computer, e.g. before this is sent to a service company to be repaired, unless the actual physical disk space occupied by the file is overwritten a simple undelete command is sufficient to recreate the file. This is also true for information on diskettes.
Computers that are allowed to boot without a password being required constitute a particularly nasty problem. Anybody can switch on the Computer and use network services accessible from the Computer and using log-in scripts to provide access to the services. No special hacking knowledge required.
The remarks made here are valid for all software using log-in scripts to establish network access. They are true e.g. for the Internet access software Access Kit supplied with the OS/2 operating system, for the Microsoft Network access software supplied with Windows 95 and for the popular Winsock software used by many to access the Internet.
To prevent misuse of log-in scripts only two methods are practical. Either the users must refrain from using log-in scripts containing passwords, and instead type these by hand when logging onto a service, or the Computer must be secured by means of access control software requiring the user to log in with a password before the Computer starts at all. In systems requiring a higher security level than this, data encryption can be employed.
Particularly users having many accounts often display a tendency to use the same password for all the accounts, making it suffizient for an intruder to discover one password to obtain access to all the accounts. These one-for-all passwords are mostly used, because it is easy for the user to remember one password, and there is no need to remember many passwords, and not least, which password belongs with which service. In order to prevent the use of the same password for several services it is indispensable to furnish users with some kind of password administration System enabling his to manage the use of passwords securely.
A password management System must be able to produce an individual password for each account to which the user has access. The passwords must be possible to remember. They must adhere to the password policies of the organisation. The link between an account and the corresponding password must be failsafe, and the user must be able to regenerate forgotten passwords with the assistance of the password management system. The user must be aware of the need to keep the access to the password management system secret, so that no one can gain access to the system and steal the passwords contained in it.
A password management system using ID Tokens is just about as secure as they currently come. This type of system uses a small creditcard size calculator-like device that can generate passwords based on factors such as date, time of day or other factors. These passwords are only valid for a certain span of time, ranging from around one minute to several days. The same algorithm used to generate the passwords in the token is used in the computer protection software to verify the validity of the password.
ID Token systems offer many advantages. They alleviate the user of having to remember passwords, because a new password is essentially used for each log-in. Because of this the system facilitates the use of more secure passwords, long passwords with character combinations that are unintuitive, by and large random and thus impossible to guess. These passwords are just a jumble of capital and lower case letters, special characters and numerical digits with absolutely no apparent meaning. Because password only live for a brief period of time in these systems, they effectively prevent passwords from being written down (except of course by determined attackers, who want to see if there is a system in the passwords enabling them to crack the algorithm and thus predict the next password to be generated. Fortunately few organisations are attacked at that level).
The use of dongles or smart cards (or chipcards, as they are also called) employs the principles of possession and knowledge. It is not sufficient to know a password or PIN, or to possess the smart card, to gain access to the service. You must both have the smart card and know the password simultaneously. Dongle-based systems are no longer in widespread use but are mentioned for the sake of completeness.
Smart cards are of considerably more interest because they open new possibilities when it comes to password management. Whereas a password used to verify access normally has to be stored on a data storage medium in a computer, smart cards lend themselves admirably to oncard storage of passwords, alleviating the necessity of keeping a vulnerable password database in a computer system. Smart cards are also extremely resistant to data manipulation and thus well suited as the base of highly secure access systems.
All modern PC BIOS'es provide some sort of password protection, enabling users to specify passwords that must be keyed in even before the computer starts an operating system. This password mechanism lives in the hardware-based basic input/output system stored in read-only memory chips in the computer, the system itself thus incorruptible as long as not hardware changes are made. Unfortunately the password information plus the information telling the BIOS to ask for a password when starting in the first place, is all stored in a socalled CMOS chip. This is a small chip depending on a battery supply on the computer motherboard to keep its information intact. It is the same chip, which is used to store information e.g. about the size and configuration of the harddisks present in the computer. Even if the battery is removed or discharged, a capacitor is able to maintain the CMOS information for a while. However, on most motherboards two small steel pins can be found, which serve to quickly erase all CMOS information by simply shortcircuiting the pins.
Thus, for someone, who knows what to do it is a matter of a few minutes to open the computer and remove the BIOS password protection. Earlier - having removed the password - it was necessary to find out which types of harddisk drives the computer used in order to reestablish the configuration information required to access the drives. Nowadays, however, many BIOS'es contain an "auto-detect" feature enabling this work to be performed automatically, so in practice a knowledgeable intruder is up and running within ten minutes, having bypassed the BIOS password.
Incidentally, some AMI-BIOS'es default to the password "AMI"...
As illustrated it is not advisable to depend on the BIOS password protection mechanism, unless physical access to the computer housing can be prevented.
From a certain company size, or in case of sensitive data, it is advisable to introduce proper password management in the organisation. Password Policies establish the rules guiding the use of passwords in the organisation, which characters may/must be used in passwords, the minimum length of passwords, which password types are forbidden, etc. Password Management serves to enforce the policies, administer user access control and possibly to generate and/or distribute passwords.
Let us take a closer look at some of the components of Password Policies and Password Management.
In the framework of password management it is indispensable to define which types of passwords it is not permitted to use. A good password management system should contain an expandable database of forbidden passwords, which it will automatically prevent users from selecting.
In larger organisations this database may have thousands of entries, covering types like these:
- Lexicographic passwords that are easy to guess by simply using a dictionary and trying all grammatical forins of all the words in the dictionary.
- Any combination of the names and/or initials of the user.
- Any other user-specific publicly accessible information such the license plate of the user's car, his address, or his mother's maiden name.
- Company names or addresses.
- Product names or trade marks associated with the company or organisation.
An assortment of cracker dictionaries containing very long lists of passwords used as defaults by computer or software manufacturers, often used passwords (e.g. names of popular film stars or "Chicago" for access to Win 95 systems - Chicago was the working name given to the Windows 95 operating system by Microsoft during the development phase) can easily be found in the computer underground, and some of these should be merged into the list of forbidden passwords. Most are simply ASCII-files, so this is easily done.
Any computer system requires more or less regular maintenance and service. In case this is accomplished by internal staff the necessary accounts already exist and are managed. Things look quite different when maintenance work is performed by external contractors. In this case special accounts must be established for the technicians. These accounts should be as limited with regard to access permissions as feasible, and they should be very well policed. If only one service account is required it should be established by the system manager, using the name of the external service techie and a temporary password. This password should automatically expire by the end of the day, irrespective of the total duration of the work at hand. If this stretches across several days, the system manager must issue a new password each day. This is quite important, because experience shows that it is often forgotten to discontinue temporary passwords when some work is finished. It is also important because leaving a temporary password valid overnight will give crackers a whole lot of time to hack into the system from the outside using a known password issued to a person not necessarily bound by company policies or loyalty.
It has often been seen that some 50 valid passwords used for service access at one time or another still exist on a computer system, because someone forgot to delete these temporary accounts, some of which may have very extensive permissions. A good access control System should be able to automate this procedure, so that temporary accounts automatically loose their validity after 8 - 10 hours of existence.
In case of centralised password management so-cared Password Generators are often used. These are programs which based on a predefined character set, and predefined rules regarding password length, number of individual words in case passphrases are used, and a number of other rules generate valid passwords using a pseudo-random generator. Using password generators it is possible to generate passwords that comply with company policies, are complex, are not duplicated or repeated and are not on the list of forbidden passwords.
The disadvantage of using a password Generator to create passwords to be used by humans is that they are difficult to remember, unintuitive and unpronounceable. Thus, they are invariably written down on Post-it stickers.
Password generators serve a useful purpose in highly secure systems, where staff are specially trained in things like committing sequences of 50 random Charakters to memory and reproducing them flawlessly when woken up 2 a.m., and fully automatic systems, in which the passwords are not used by humans.
Neither the user nor the system administrator can normally influence how passwords are stored in the systems they protect. This is handled by the access control program in use. It is thus indispensable before purchasing access control software to ensure that the password database is sufficiently securely encrypted. E.g. methods such as the log-in scripts described above are not suited to create company-wide password protection. It is very important to understand which type of encryption is used, and which additional methods are implemented in the software to ensure password security and integrity. For example, a simple XOR encryption is not able to secure a reasonable security level in any application.
Any attempt, whether successful or not, to gain access to a network should automatically be logged. The logs must contain information about which user logged in, and the time this took place. In case of unsuccessful attempts, also the (fake) user name and (fake) password employed in the attempt must be logged. The log files must be stored inaccessibly from the normal network (e.g. by using a printer port to print to some old 286 languishing under a ton of dust in some remote corner). It is normally fairly easy to scan log-files for abnormal incidents automatically by means of some (e.g. Pearl) script or other. This must be done on a regular basis, e.g. a few times per day, or even in realtime in case of a high-security installation. In this case the log scanning software is often able to output alarms to a pager, so that information security staff can be alerted immediately.
Log files are indispensable when it comes to discovering a possible attack, and in fact often the only method to do so, because hackers leave few if any tracks. The logs make it possible to see which passwords were used in attacks, when they were made, often from where they originated (or at least seem to originate), and if they have been successful. Potent stuff, log files!
Social Engineering is in much more widespread use and much more dangerous than most often assumed. Briefly explained, Social Engineering is a method used to gain (confidential) information, which would not normally be given, by using a false but trustinspiring identity and an unsettling pretence of urgency. The assumed identity is often one of authority, corporate or public, and the person attacked is one who can be forced or talked into, divulging information using this type of tactic. Given the right approach most people can.
The type of information can be passwords, user IDs, dial-up Telephone numbers and account numbers.
Training and good management are the countermeasures against social engineering. Management to make sure that confidential information in fact never has to be given by phone, no matter to whom and for what reason, even in case of service accounts. Training to increase general security awareness, to make staff understand that they should never e.g. divulge passords to others, and also to understand that they should not seek information that they do not need, and if they come across such information by accident, learn to forget it.
Really understanding and learning to use the "need to know" principle is fundamental to any kind of information security.