Open source software security

Password Protection

30 November -0001
by: Justin
Updated August 1, 2008

Single factor authentication is the most common authentication utilized in computer security today. Single factor checks a single "thing," typically something you know, to verify a user's identity. This is the biggest weakness to single factor authentication. Because it checks something you know, it is conceivable that someone else knows this thing as well. Passwords are probably the best form of single factor authentication. Often you will see multiple single factor authentication utilized on some platforms. These typically request that you enter information like a mother's maiden name, birth date, or other "known" information for identity verification. These are horrible mechanisms for authentication because they are static. This means that if an attacker learns this information, the user cannot change it. A password is transitory, it can be, and should be, changed, unlike a birth date.

There are two main vulnerabilities for password security. The first is sniffing network traffic. This is done by installing custom software on a computer connected to a network involved in password authentication and attempting to snare passwords in transit. Several solutions to this problem exist. The most effective means to guard against password sniffing is encryption. SSL and SSH provide encryption for data transit. SSL use on a website will protect all password transmition and you should be sure to check for SSL use on a site by looking for the locked padlock icon on your browser and the "https" indication in the URL whenever transmitting passwords. Server challenge/response passwords are usually encrypted by the server, and these passwords are usually safe. In the past stealing passwords off the network involved complex topological challenges for an attacker, but with the growth of wireless networks it is often enough that an attacker is within wireless broadcast range in order to sniff traffic. Listening to wireless traffic is a lot easier to do, harder to prevent, and harder to detect.

Other password stealing techniques are used by attackers to steal passwords. These include keylogging software installed directly on a computer (often this is part of malware (viruses and worms) payload) or a hardware kestroke logger. A hardware device is nearly impossible for a computer to detect, while a software keystroke logger can usually be uncovered by a good antivirus program.

Another common password stealing technique involves using social engineering. This is a low tech way of tricking a user into providing their credentials voluntarily. E-mail phishing attacks are a common example of a social engineering attack. Be extremely careful when telling someone else your username or password. Don't announce it on your cell phone in a crowded place or tell it to someone claiming to be a technician. Utilize discretion with your password to protect your account, and in many cases your identity.

The other major vulnerability to password security is brute forcing, or guessing, passwords. This is the most common, and easiest way to crack password security. It is for this reason that it is imperative that users choose strong passwords. There are several DO's and DON'T's for choosing a strong password. When choosing a password:

  1. Make sure the password is not your user name
  2. Never use a dictionary word or a person's name
  3. Don't use leet speak (substituting numbers for letters)
  4. Never use a password that can be associated with you personally (a birthdate, social security number, pet's name, or mother's maiden name)
  5. Make sure you password is at LEAST 8 characters in length and includes upper case, lower case, numbers and special symbols
  6. Change your password every month or so
  7. DO NOT use the same password for more than one account (that way if one password is broken, your other passwords will be safe)
  8. NEVER send a password over unencrypted e-mail

A good way to choose a password is to pick two simple items that you can easily remember and separate them by your birth year, then follow or precede your password with a special character. For example:

Mets72Bush!

Is a relatively strong password and fairly easy to remember. Ideally a strong password resembles:

Wrt5y!7U?

But this is difficult to remember. One strategy for creating a really good password that is easy to remember is to create a phrase or sentence and use the abbreviation plus a few numbers to represent the sentence. For instance, I could create a great password using:

I was very disappointed with Kerry in the 2004 elections

With this sentence I can construct the password:

IwvdwKit2004e!

This is a pretty complex password, it is 14 characters long and includes upper and lower case letters, numbers and a special character! Keep in mind that if password security is all you use to protect your resources, you should make SURE you choose a good password.

If you are interested in password brute forcing or cracking there are several freely available programs available to crack passwords. Download Brutus (a brute forcer), Ophcrack, or John the Ripper and see if your password stands the test. (For more password cracking tools see the list at SecTools.org.)

Many people wonder why they should make a long password or change their password. The idea is to defeat brute force attacks. Guessing a password isn't as tough as you would think, especially for a computer. Many password brute force programs will even try things like dictionary attacks, using well known words and testing them against a password. Most passwords (in well designed systems) are stored encrypted. This is why administrators often can't tell a user what his/her password actually is. A user enters their password and it is mathematically hashed to produce a series of random looking letters and numbers. This hash is what the system stores. This means that even if an attacker manages to steal the password store they don't have the actual passwords, just the hashes. These, again, can be brute forced. The longer your password is, and the more "types" of characters you use (upper case letters, lower case letters, numbers, and symbols) the harder it is to crack the password through random guessing. If you use a long password with all the aforementioned types of characters it becomes computationally infeasible to guess the password.

Security News Portal reports that many people choose predictable, weak passwords. Almost half of the users polled for the report utilized passwords associated with their family (including pets). Celebrities also accounted for many of the passwords polled.