Good and Bad Passwords How-To
Basics of Password Encryption and Storage;
Definitions of Terms
Password Encryption and Storage
Until the late 1980's UNIX systems stored user's encrypted passwords,
usually referred to as hashes, in the file /etc/passwd. These
hashes are generated by using a user entered, plain text
password as a key to an encryption algorithm. This encrypts a
constant and creates a resulting unique gibberish string (hash) which is
saved. When the user next logs in, their password is passed
through the same encryption process, and if the result equals the
saved hash, the user is allowed entry since they provided the
correct password.
Though encryption algorithms have changed
over time and may differ from one operating system to the next and
the resulting hash is stored in different locations for different
operating systems, the basic approach is pretty much universal.
The encryption algorithms are one way. There is no known way
to take the hash and reverse the algorithm to derive the password.
If this is not true, then the algorithm is not suitable for hashing passwords.
Passwords can be guessed though. If a test password is passed
through the encryption algorithm and the resulting hash is the
same as the stored hash, then the password has been successfully
guessed.
Security of the Password Hashes
UNIX systems' /etc/passwd file is world readable. Anyone who
gains any kind of access to a machine can copy the passwd file
and move it off the system by any means that might be available
to them including e-mail, FTP, HTTP, NFS, scp, optical media, USB
stick, and others. The attacker can then attempt to crack
(systematically guess) passwords at their leisure; the methods will
be discussed later.
HTTP may seem an odd way to get a file off a
computer. It's actually quite attractive. The attacker only needs a
web server on one of their computers with a file upload script;
this is easy to set up. The attacker can run any text
browser on the attacked system; most Unix like systems have one or
more text browsers installed by default. This approach is more
likely to get past a tightly configured firewall than almost any
other method.
In the late 1980's Sun began using a shadow password file which
was not world readable. The password hashes were no longer
placed in /etc/passwd but the shadow password file, often
/etc/shadow, which should be readable only by root (the system
admin). The /etc/passwd file was retained with the other less
sensitive information so that programs that needed the other non
password information could continue to run without modification
or special
privileges. The few programs such as login and passwd that
actually need the password hash, have special privileges so that
ordinary users can run them. Since about 2000, nearly all UNIX systems
use or can use shadow password files, though they may not be
called shadow. Any system that doesn't, should be configured to
do so, upgraded or replaced.
Windows NT systems never had the specific vulnerability of a
world readable password file. NT passwords are stored in part of
the registry known as the SAM. Passwords for Windows 2000 and later
Windows systems may be
stored in the SAM or the directory if Active Directory is
enabled. These are in continuous use, i.e. held open, by the
operating system as long as it's up, so the SAM or directory can
never be accessed as an ordinary file. They must be accessed
through an appropriate API, which is implemented in various
utility programs. Access to security sensitive information
typically requires system or administrator level access. NT's
successors, XP, Vista, Windows 7 and 8, and variously named servers
continue to use the same basic password storage approach as NT
and 2000. Though
Windows never had a problem similar to early Unix systems, nearly
everything else about Windows password storage is flawed in
other ways. I'm working on an update to the Windows Poor
Password Encryption page.
Though the current situation is better than the early UNIXs,
it's naive to think that the password files are secure just
because they can't be read by every user as an ordinary file. On
UNIX, anyone with root access can read the shadow password file
as an ordinary file and on NT regback from the NT Resource Kit
will make a perfect copy of the SAM, while it's open by the
system. Also pwdump, a small free utility, can copy the account
and password hashes from the SAM to a text file that can be fed
to cracking programs. On newer Windows systems, other programs perform
similar functions. NT system recovery disks provide another
simple way to export the SAM data. The situation remains much the
same with more recent versions of Windows. On all Windows systems,
anyone with unattended access and a properly made Linux boot CD or
DVD can copy the accounts and password hashes to a USB stick or
have the necessary tools installed to use any of the methods
discussed above for Unix systems. The only requirement is that
the optical drive be set to allow booting; if not on, it
can be turned on in less than a minute on virtually all PCs.
If you
search the Internet for types of security attacks, about half the
results include network, Internet or a related word in the title.
Even in most of the articles that have nothing in their title related
to networks, there is little or no mention of physical security.
People forget, don't know, or are not interested (computer people
are technical and physical security tends not to be) that historically
most security compromises have come from the inside, employees or
contract personnel like cleaning crews that nearly always work
without supervision. This may be shifting somewhat but where
numbers can be found, the inside still represents more of a threat
than the outside; not all inside security issues are intentional.
In an article written sometime between 2008 and 2013 and titled
Types of Security Threats etutorials.org
wrote that the Computer Security Institute
found that of companies with security breaches, 60% came from
internal sources.
Staff with administrative access, who are not honest, can
easily provide the necessary account names and password hashes to
a potential intruder who has provided an appropriate inducement.
A departing administrator can take or transmit this information
and subsequently use it to crack passwords to which they would not
normally have had access. Whenever any computer or network
administrator leaves an organization,
all administrative account passwords should be changed on all systems
to which the departing administrator may have had access; this applies
to both Unix and Windows systems.
Generally, unless they are misconfigured, modern systems require that
a user or process already have root or administrative access before
the user account and password hash information can be obtained. The
following examples show, this does not necessarily mean possession of
a valid root or administrator password and the ability to log in.
Most sites have some form of off-site backup storage. The backups
will have the necessary information, which is rarely protected by
anything other than the physical security of the backup media. Thus
off-site backups are as protected or vulnerable as the honesty and
procedures of the off-site storage company and its employees make
them.
Backups kept on-site will be as secure as the physical storage of
the media. A locked computer room loses much of its value if an
employee can pocket a tape or other removable media from an unsecured area. Backup
media should not be stored in immediate proximity of the machines
they backup, lest an event that compromises the machines also
compromises the backups. Backup media should be stored in a
physically separate but secured area.
Anyone with physical access to the hardware can obtain the
accounts and password hashes. UNIX systems can usually be booted to
single user mode and normally Windows systems can be booted
via a bootable CD or DVD as described above.
There are at least two classes of remote exploits that apply
to both UNIX and Windows systems. These are buffer overflows
that allow the execution of arbitrary code and application
or service level errors; the specifics are system
dependent.
Various services, usually running as root or system have had buffer
overflow bugs on both UNIX and NT. Prior to 2001, there were more of
these on UNIX systems than on NT. In 2001, several worms and viruses
affected hundreds of thousands of windows systems, exposing them to
remote administrative compromise. Wherever words like the "execution
of arbitrary code" appear associated with buffer overflows, obtaining
the password hash information, either directly or indirectly, is at
least a theoretical possibility.
A good example of an application level bug is one that
allowed a remote user to send commands to sendmail that caused
sendmail to e-mail the /etc/passwd file to the remote user. Today
the most frequent application level errors are with poorly
configured web servers running buggy web applications. Most
often these result is defaced web sites but depending on the
specifics of the misconfiguration and the bug, just about
anything is possible, including system or administrative level
compromises and exporting
password hash data. The password hashes may be those of web server
itself, but often the web sites have much more valuable
password files such as LinkedIn.com and recent compromises of other
prominent web sites show. NT has had many more problems of this
nature, but UNIX enough that UNIX administrators have no reason to
feel smug or secure.
Having a backup tape or system recovery disk gives an attacker
access to password data but not direct access to a system. A buffer
overflow is likely to provide a means of entry, but not
necessarily ongoing access. An intruder will normally want to
obtain passwords to root or administrator accounts. This is
likely to ensure that an intruder who is in a position to obtain
the password hashes will have full access to the compromised
system for some time.
Good, bad, weak, strong defined
A weak password is any password that can easily be guessed or
cracked. A strong password is difficult to crack or guess. These
are relative and unless the password was created in a defective
manner, the strength of a password can be calculated
mathematically. A password can be so weak it can be cracked in a
fraction of a second or so strong that billions of millennia of
CPU time should be required. Most of what follows examines the
deficiencies that make a superficially strong password, weak.
All relate to how humans think and select or create passwords.
A bad password is one that is too weak for the resources it's
supposed to defend or that is too difficult for users to use and
remember. A good password is a strong password that's reasonably easy to
remember. Identifying specific characteristics that make a good
password is more difficult than those that make a bad password.
Since there is a significant degree of mutual exclusivity between
these goals, part of defining good passwords is figuring out what
if anything can make a password both easy to remember and hard to
guess or crack. Some of the characteristics that make a password
easy or hard to remember will be discussed.
Password relativity
How good or bad a password is, depends to a significant degree on
what it's protecting and who is using it. People have varying
memory capabilities so what may be easy for one person may be
difficult for another.
More important is the variability of the value of the resource a
password protects. On any computer system, the administrative or
root password is of much greater value than that of an
unprivileged user account. Different computers and systems have
greatly varying values. Computers that manage financial
information such as at banks and brokerage houses and very
sensitive information such as patient records at hospitals are
more valuable and require a greater degree of protection than for
example, the mailing lists of a mass marketer or the sales records
of a local retail store. Most users are likely to consider their
Amazon or other online retail account that includes credit card
numbers more important and sensitive than the password to a Gmail
or other disposable web based e-mail account. The password to a
site such as a social media site, that the user has spent much time
customizing may be somewhere in between in sensitivity. If someone
has used Gmail or a similar service for several years as their
primary email account, and has a large quantity of saved emails,
that account will become much more valuable and sensitive than
an email account which is only used occasionally.
The importance of a password may depend on one's perspective.
You may place a different level of importance on passwords
you use at work than your employer would place on those same
passwords. You would likely reevaluate the importance of
such a password if you were fired because you used an easy to crack
password, that led to a costly security breach. It would not
matter that the password may have met the letter of any password
policies in effect or enforced by a work computer. Some people
advocate password safes as a means to manage the many good
passwords most of us need in the second decade of the 21st
century. I'm not sure how you could use a password safe at
work; of course you could use one after you've logged into your
work computer to manage website passwords, but how can it help you
get onto your work computer?. The following pages are intended to help create good
passwords as opposed to abysmal passwords like Number1, which has mixed
case and a digit, but would be cracked by any capable hacker
in seconds on almost any computer hardware, on any OS, with
almost any cracking tools. Not all pages are equally relevant;
some pages or sections are more for administrators or policy
makers, and some get fairly technical.
Cracking defined
Cracking means running a program that guesses large numbers of
passwords against a file containing account names and password
hashes. The file is a UNIX passwd or a shadow password file or
extracted from the SAM or directory on Windows. The program
repeats the encryption
algorithm that was used to encrypt the user's plain text
password. It uses a dictionary or other list of plain text
passwords such as list of common passwords and encrypts these.
If the result matches the hash stored in the password file, then
the password has been cracked. The cracking program normally also
makes various permutations of the dictionary list such as appending
or prepending digits or other characters, substituting similar
looking characters, rotating or shifting the word in different ways
and doing these changes in various combinations. The
cracking program may also extract the user's account,
name or title from the password file and make combinations and
permutations of this data to guess passwords. Cracking programs
normally have a brute force method that generates potential
passwords; characters are combined randomly to make possible
passwords. Frequently used characters may be used before infrequent
or unusual characters to increase the likelihood of finding
passwords quickly.
Guessing defined
Guessing is an interactive or automated attempt to log into a
computer, website, email account or other password protected
resource via one of many remote access methods such as HTML, POP3,
telnet, ssh, or other protocol. Users tend
to pick easy to remember passwords which will often be as short
as the system permits. Easy to remember often means things that
relate to the user in some fashion as listed later. Also there
are some very common passwords such as pass, password, Password1,
admin, letmein, and the company's name or acronym.
Guessing is likely to be more successful if the attacker knows
something about the users whose accounts they are trying to get
into. Some of the information commonly used to create poor
passwords is in public records such as phone books. In the past
a company web site may have had an employee list with some of
this information; these are now very rare. That which isn't listed somewhere publicly
accessible, can often be gathered with a social engineering
attack. The classic example was a "survey" passed out in a
company's lobby that yielded a number of user accounts and
passwords.
More than a hundred pieces of information useful in forming
passwords can be personally related to a single individual. A
number of these can be broken into pieces and or formatted
multiple ways. Combinations of pieces may result in thousands of
combinations per person. One
author1 has identified
over three hundred thousand permutations per two word combination
and these are not exhaustive.
Interactive guessing is likely to be limited to a few dozen
attempts. Only the most obvious personal information with
a few simple variations is likely to be tried. It's very
likely these attempts will be logged. If there is any attempt
to automate the guessing, the likelihood of the attempts being
noticed in log files increases significantly. Many systems
lock or freeze an account for 15 minutes to an hour,
after 3 to 5 invalid attempts within
a few minutes, to prevent automated guessing. Still, guessing
should not be discounted because it remains a method by
which improper access to systems is gained, due to the
abysmal passwords some users and even administrators select.
Guessing has one advantage over cracking. Guessing merely
requires physical access or an open network path to a machine
running a suitable service or application. It does not require any other access
to the target machine. Cracking assumes some level of access to
the target machine, since the account names and password hashes
must be in the cracker's possession before cracking methods
can be applied.
Generally, if passwords that are difficult to crack are selected, they
will also be difficult or impossible to guess. Thus, the remainder of
this discussion will focus on cracking.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
https://geodsoft.com/terms.htm
(or https://geodsoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
https://geodsoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|