What's In A Password
by James Gates
All through history, groups ranging from governments to guilds have made frequent use of passwords. These have been different forms of secret sign-and-countersign or challenge-and-response systems. Typically, they have been used to distinguish those who belong to a particular group from those who do not. If a simple, flexible, blind identification were to be needed, one or another password method could be suitable for such a purpose, given certain provisions.
Those provisions are that:
The people who need to use the system are willing to go along with it.
The selected password is hard to guess but easy to remember.
The people who know it will keep the password a secret.
The password is changed right away when anyone who knows it leaves the work group.
Actually, although the concept of passwords is simple, several factors go into the successful use of them. This article addresses password use in Digital Equipment Corp.’s VAX/VMS environment. Most of the concepts and principles discussed, however, can be applied successfully in other situations.
PASSWORD IMPORTANCE
Today’s computing environments often have group passwords as well as passwords for individual user accounts. System-wide passwords, for example, are commonly used to distinguish insiders from outsiders in the case of terminal ports that are connected directly to otherwise unsecured auto-answer modems. These passwords are used mainly to deter computer hackers and other intruders. This kind of password usually is set by a single person who makes it known to the group members, who then use the password without changing it. Group passwords serve purely to restrict access.
Individual account passwords also are intended to restrict access. Their primary function, however, is to help identify the individual using the account. Many systems really need only the account identification to let an individual log on. However, a password also may be required as additional authentication or proof of identity. (The account identification may be available openly to others on the system. In this case, the password becomes the real key to a particular account and the most significant component within the system of user identification.) Someone else who knows a particular account identification and password has the means to access the system illegally. Privileged users with a little knowledge have several ways to impersonate someone else, but none of these is as straightforward as logging on with the user name and password. In either case, the impersonated individual becomes accountable for whatever the impersonator does in his or her name. This explains the need to learn safe password management practices.
AN ACCEPTABLE PASSWORD:
AN ACCEPTABLE PASSWORD IS ONE THAT AN INDIVIDUAL CAN REMEMBER AND USE AND THAT ANOTHER PERSON CANNOT DISCOVER EASILY
An acceptable password is one that an individual can remember and use and that another person cannot discover easily. Maintaining computing privacy is the whole reason for having a password.
An individual is better off with a password that can be easily remembered and used than with a random series of characters—unless, of course, that person is good at remembering random sequences. The ideal password is one that people will not be tempted to write down. It will permit correct keying in on the first try and will not be difficult to use. If the selected password proves to be difficult to use correctly, the individual can change it to a more acceptable password, which is fine. Otherwise, that person can expect to make so many typing mistakes that the almost-correct password entries will start showing up in security logs, which is not fine.
PASSWORD USE RULES
Seven simple rules will eliminate most of the easy methods for discovering a password.
1. Never Tell Anyone Else What Password Is Being Used.
SHARED ACCOUNTS CONFUSE THE LINES OF ACCOUNTABILITY AND SHOULD BE AVOIDED.
Shared accounts confuse the lines of accountability and should be avoided. Each user on the system should have an individual account. (The account holder should be the one to log on if it appears to be necessary to let another person use an account briefly.) The bad habit of sharing a password might be broken by choosing passwords that would create embarrassment if told to anyone else. Change a password as soon as possible if it is used in an emergency by someone other than the person with whom it usually is identified; consider the account compromised until this change is made. When an account has been used illegally, it often turns out that someone gave away the password involved.
THE IDEAL PASSWORD IS ONE THAT PEOPLE WILL NOT BE TEMPTED TO WRITE DOWN.
2. Never Write Down a Password. If the password is for a group of people (e.g., a system or program password), a mnemonic device should be used to make the password more memorable. Find a memory trick that can be passed onto others who will need to remember the password—anything to prevent writing it down. The simplest method used to break into an account is to look for a password around the work space, in text files, and in network access control sequences in command procedures. For that reason, writing down a password is the next worst thing to giving it away.
3. Avoid the Obvious Choices. Individuals should be encouraged to select passwords that have nothing to do with them personally. This rules out the name of anyone that they know personally, their birthdays and anniversaries, terms or names unique to their organization, their address, their Social Security and phone numbers, their hometown, and other bits of personal information they may have memorized. As a rule, they should avoid selecting anything that someone could look up or guess. The obvious choices are usually the first ones a password guesser will try.
4. Make Them Work for It. Given unlimited time and opportunity, a program could generate and test all possible password combinations. But that gets expensive, and a reasonable password guesser would take several shortcuts. One shortcut involves trying all the words in a dictionary. Use of combinations of words, misspelled words, or made-up words for passwords eliminates that shortcut and forces the guesser to do it the hard way. Throwing in a digit here and there will make this person’s task really difficult. Take, for example, a six-character password composed just of letters. A password guesser can find it in about 300 million tries at most, which is already pretty good. If digits are used in the password, the number of tries jumps to more than two billion for a password of the same length. (For a password of n characters, there are 26n combinations using just letters, and (26 + lO)n combinations using letters and digits.)
5. Use Longer Passwords. A password should be at least six characters long and double that if the individual can comfortably type it in. There are only about 17,500 three-letter password combinations, but there are more than 300 million combinations of six-letter passwords and more than 95.4-quadrillion 12-letter variations. These differences are significant and make it worth the effort to find longer passwords.
6. Change Passwords. A new password should be chosen every month or so, more often than that if it is a privileged account. Avoid the temptation to reuse passwords, which increases the risk of reopening an account to potential compromise. A new account should always be created in a manner that forces the new user to change the password immediately.
7. Use Different Passwords for Different Systems. Avoid creating a situation in which the discovery of one password will automatically reveal them all. There is a hard way to do this and an easy way. The hard way is for each password to bear no relation to any other. This is the most secure approach because it avoids the need to write anything down. In addition, all of these passwords can be changed on a regular basis.
The easy way involves using an algorithmic password with a fixed part and a part that changes from system to system. The fixed part should be replaced periodically with something new. Avoid obvious choices for the variable part (e.g., node names, organization names, and processor designations). The best choice is a term that has meaning only for the selecting person and that looks like it belongs with the fixed part of this password.
PASSWORD GRABBER PROGRAMS
Be alert to programs that steal or trap passwords. If the system has a secure server or trusted path capability, either hitting the Break key or turning the terminal off and on before logging on will ensure that no so-called password grabber is running. In addition, always make note of any log-on failure messages. Keep track of failed log-on attempts, and make sure the count of these matches the system’s log-on failure count. If they do not match, either an error has been made in the count or a password grabber is at work. Change the password immediately and start looking for the culprit. This is a serious incident and may involve other victims.
AN EFFECTIVE PASSWORD POLICY
An effective password policy takes into consideration the limitations of a system’s users as well as the overall information security policy of the organization. Effective password management requires the active cooperation of everyone involved in the process.
It really is worth the effort to make users feel personally involved in implementing the password policy. Make sure they understand that all their work will be vulnerable to anyone who logs onto their individual account and that anything that happens in their account will look as if they did it. Convey the idea that protecting their password is more in their own interest than anyone else’s but that because their work is important and valuable, password protection also is in the interest of the organization.
Beyond explaining responsibilities, it is equally important to listen to any problems users express concerning any aspect of the password policy. It probably is unrealistic to require that everyone use passwords of more than 10 characters, though many users may be able to handle much longer passwords. Users who have trouble keying in a long number may become frustrated unnecessarily, or they may adopt other practices that create their own security problems—for example, leaving the terminal logged on while they are away. By asking users how well the password policy works for them, it is possible to learn where the weak spots in the policy are and whether it is actually working.
If some element of the password policy is not working, take the time to determine why before attempting to force the issue. It may be that the policy is too rigorous. For example, requiring the use of 16-character generated passwords that change every other week is practically begging the users to write down the passwords. If the policy is workable, better user education may solve the problem. For instance, simple mnemonics may be provided to make group passwords easier for users to remember, without sacrificing security.
If users understand and are able to follow the password policy but do not, it may be that they need help to appreciate its importance. Try discussing it first. Share some real-life stories to illustrate what can happen when an account is compromised. Finally, include the password policy as part of a contract that each user has to sign. Requiring the commitment in writing can help because people often take a policy more seriously if someone has bothered to write it down in clear, understandable language. This practice also will facilitate enforcement of the policy. However, this particular tactic could backfire if users get the feeling that the policy is being forced on them without considering their views.
TIPS FOR SELECTING PASSWORDS
The first requirement for a password is that the person using it be able to remember and use it. Most people, given a little coaching, could think of hundreds of suitable passwords—and would remember them all the better for having made them up. It probably is not necessary to require that a generated password be employed. Such a practice carries the added risks that someone else may see it on the screen or in a terminal session log or that the user may write it down. These are suggestions for passwords that should be as secure as generated passwords of the same length, provided the selection method used is not revealed. Do not use the specific password examples given in this discussion. Rather, use the ideas that they illustrate. There are other methods that may be used. Password selection methods should be changed periodically so that the process of choosing them does not become predictable. In the following examples, the hyphens are included for legibility, but they should be left out when the password is entered:
Variations on titles, slogans, and phrases. Pick a theme—such as movies, song lyrics, novels, or the plays of William Shakespeare—and create a variation on that theme to have different but easily remembered passwords on several systems. The exact titles of popular works should be avoided because they could be checked easily by a password-guessing program. Variations on the specific titles, however, can be just as easy to remember and much harder to guess. If a theme approach is used, change themes now and then. This practice will be more interesting and will make the passwords less predictable should anyone discover one password and start looking for a pattern. Some examples include gone-with-the-breeze, prince-lear, and 75-trombones.
Misspelled words. Take an ordinary word or phrase and mangle it a little. Some examples include kolorado, biznezz, 42nutly, and n-d-pendent.
Misplaced fingers. A fairly cryptic password can be created by taking ordinary words, spelling them just about any way, and typing the result with your fingers shifted from the base position on the keyboard. For example, vyvvkw is bubble with the fingers shifted one key to the left, and e8wh36oqhe is disneyland shifted one key up.
Initial letters. Take a phrase or sentence and use only the first letters. For example, m-t-f-b-w-y comes from may the force be with you, and t-c-b-t-s-o-a-b-f comes from this could be the start of a beautiful friendship.
Foreign words. A second language can be drawn on for password options. (This borrowing can be especially helpful if most people do not realize that the individual involved possesses a knowledge of this language.) Even better is the use of a language that has a different alphabet from the Roman, such as the Slavic and various oriental languages. In this case, the selected foreign word or words necessarily would be spelled phonetically in the Roman alphabet, creating a password that would not be found in any generally available dictionary yet could be easy to remember.
Made-up words. This is the way a password-generator works. Create a password by stringing a few syllables together and seeing what comes up. Some examples include bo-wan-natek, un-ga-wah, and key-ris-co.
Mathematical formulas. Take a mathematical formula and leave out the operators, if necessary, but do not reduce it to just numbers. As was suggested earlier with common titles, it would not take much work to include the most common mathematical formulas in a password guesser. But even a slight variation (e.g., the change of a constant or the addition of a variable) should create a fine password. The number of variations of n characters using just digits is only 1On—not nearly as good as 36n (when letters are added) or 94n (if the full range of printable ASCII characters is included). For example, ax-2-bx-c-45 is ax2 + bx + c = 45, and s-y-2-s-2-2-s-y-y-2 is (s + y)2 = s2+ 2sy + y2.
With a little effort, effective password management can be implemented so that it works with the user community. A password policy that takes into consideration the needs of the user community as well as the security requirements of the organization will find more support and acceptance and consequently will be more effective.
|
