Passwords
- DRAFT -
Peter Shipley

With recent reports from the FBI concerning corporate espionage against U.S.-based companies exceeding $300 billion in 1997 alone. Companies should now, more then ever, guard their door from unwelcome intruders.

At the risk of beating a dead-horse, this months article is about good password selection.

From my experance in system and site auditing I have found that weak passwords are the one biggest and most common problems and thus one of the most common paths used in illegal accessing a system.

Also, surprisingly enough, the weakest passwords tipicaly belong to those in upper management and the sales. (those with information to hide).

Bad passwords

Words like cowboy9, PORSCHE911, mr.spock, wynt3r, merde3 are all trivial to guess.

Q:What makes a password guessable,?
A: time.

Like any piece of encrypted information any password can be guessed or "cracked" all it takes it time. For Unix style password file it can take anywhere ranging from a few hours to several centuries depending on the complexity of the password.
For Windows style passwords it can range from a few hours to almost up to a week for any password (NT is known to use a very weak password storage algorithm, more on this later).
The most simple and direct attack is a brute force attack. that is starting with the password ``a'' then ``b'' and so on to ``aa'' then ``ab'' till we get to ``ZZZZZZZZ''. This can take a while.

To speed the guessing process attackers use took such as specialized dictionaries. With these guessing dictionaries and a few simple rules sets for modifying the words.

I have found that a majority of the passwords from a average site can be guessed with in one day with the use of a few specialized dictionaries

Any Password can be broken given a few weeks, days or centuries.

The following are examples of "Bad Passwords"

There are dictionary lists for all the above and more.

Good Passwords

It possible utilize a onetime password pad such as S/Key or SecureID. If is is not a current option then here are some simple guidelines for selecting and protecting your password

It is very important to change your password on a regular basis. This will hopfuly thaught attempt at password guessing (that is you change it by the time it is stolen or guessed).

A Warning for NT users

Systems like Windows NT are vulnerable to a gross number of network based attacks on of which allows anyone to download a copy the it's password "file" from anywhere on the Internet.

This problem is compounded with the fact that the encryption algorithm used by Windows is so "weak" that the entire file can be compromised within a business week. The research group L0pht has developed a program entitled L0phtcrack that can break a Win/NT based password via. exhaustive keyspace attacks and made the program freely downloadable on hopes of forcing Microsoft into providing some reasonable security in their products. Unix is not vulnerable to such trival download attacks.


About the author: Peter Shipley (<>) lives in Berkeley, Calif., and has 14 years of experience in network security. He specializes in system security auditing and risk assessment, Unix system security and TCP/IP network design and implementation.