From: InfoSec News (alertsinfosecnews.org)
Date: Wed Jan 10 2007 - 00:11:27 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.builderau.com.au/strategy/architecture/soa/Passwords_The_Good_the_Bad_and_the_Ugly/0,339028264,339272929,00.htm

By Nick Gibson
Builder AU
2007/01/09

Pick anyone in the world who uses a computer now and then and chances
are they've had to think up a password somewhere along the line. Regular
computer users will have stacked up quite a few, your work pc, Web mail,
online banking, blogs, etc. It's no wonder that a lot of people get
overwhelmed by the sheer weight of things to remember and forget why
they've got the passwords in the first place.

It's not uncommon to see a Post-it note with a password written on it
stuck to the top of the computer that it accesses, and when that happens
it's easy to see that something has gone wrong somewhere down the line.
For users, it's important to remember why passwords exist in the first
place, and for administrators setting a password policy, who tend to err
on the side of paranoia, it's important to remember that sometimes too
much security is just as bad as none at all. To understand what makes a
good password, we need to first look into how passwords get broken.

People trying to break your password will generally fall into one of two
categories. The first will be professional cyber criminals,
indiscriminately trying to gain access to accounts for their own gain.
Maybe it's access to your bank account and your funds, maybe it's
control of your computer so they can add it to their botnet, maybe it's
an attempt to gain access to your work account for the purposes of
industrial espionage, or maybe it's just some bored kid looking for
something to vandalise.

Whatever the situation, the common factor is that they're not
necessarily singling you out and you haven't necessarily done anything
to draw their attention. You may just be one of a thousand hit, or one
of a hundred thousand chosen at random on the Internet, and the only
thing protecting you is the strength of your password.

The second group are people who have chosen to target you; either they
know you or they have the means to find out. They may have chosen you
for any of the reasons above, or through curiosity or spite. Many people
choose passwords that relate to personal information, such as birthdays,
addresses or family names -- thinking that either nobody knows these
little facts, or that those who would know would never try to use them.

Most people aren't aware how much information ends up being available
about them on the Internet, one way or another -- and with search
engines getting better all the time, it's getting easier to find out
more about people.

How are passwords broken?

There are a number of different ways in which passwords are broken. The
oldest, and least sophisticated method is called the brute force attack.
An attacker runs through every possible sequence in the set of possible
passwords until they find the right one. While it's not clever, the
advantage of the brute force attack is that given enough time it will
always work. The key factor here is time, but to understand this, let's
take an example: cracking a four digit PIN number.

Now in this case, there are four characters and each character has 10
different options -- meaning that there are 10 ^ 4 possible
combinations. Or 10,000 attempts to generate every possible password in
the set, but since on average you only need to go through half the set
to find a given password, a cracker will need only 5000 attempts per
password, which a computer can run through in a matter of seconds.

That was a simplistic example, but let's take something a little more
commonplace: six digit password, letters only and not case sensitive.
This means that there are 26 options for each character, giving us 26 ^
6 or 308,915,776 different options. Now clearly this is going to take a
lot longer, but it's still not going to be enough to discourage an
attacker.

At the 2005 Ontario Universities Computing Conference, Johnathan Graham
claimed an optimised copy of a password cracker running on a 2.7Ghz G5
Mac had managed to generate 900,000 encrypted passwords per second; a
six letter password space could be entirely generated in only five
minutes (presentation notes). An eight character password, using the
full printable ASCII character set, including uppercase, lowercase,
digits and punctuation, would take 200 years of constant computation to
crack at this rate.

The second method is the dictionary attack. In this kind of attack the
attacker has a big list of possible passwords, so that rather than
having to try every possible combination of letters and numbers, they
need only try combinations that are likely to be someones password,
somewhere. Don't be fooled by the name into thinking that this list
contains only words found in a common dictionary, although that will
certainly be part of it.

Your typical password cracker will have several dictionaries, ranging
from a short list of only the most common passwords, up to a
comprehensive dictionary containing obscure words, names, places,
phrases and common misspellings. Oftentimes a cracker will use this
dictionary with itself to generate a list of concatenated words,
including the addition of digits and punctuation. A password cracker's
largest dictionary may run into the 10s of gigabytes, and may run for
days.

The last method is the simplest -- trying passwords manually is the sort
of attempt your little brother might try. Normally this is a negligible
threat -- few attackers have the patience to sit and type out 10
thousand different passwords. The danger here is when the attacker
already has the password, even sticking to low tech approaches there are
plenty of ways an attacker can get the password of a careless user. The
easiest is to just read the password, either on the traditional Post-it
note, or on the list of usernames and passwords to company accounts
stuck to the side of the secretarys desk -- if you put your password in
plain sight then you're trusting everyone who steps into your office to
respect your privacy.

Another common trick to look out for is the fake e-mail asking you to
"verify" your account by sending your username and password through
e-mail -- in fact delivering it right to the attacker who's trying to
compromise your account. The success of this scam has led many online
sites that use password verification to place warnings to inform users
that they will never request a password through e-mail.

How do you create a good password?

Now that we've identified the who and the how, we can start to think
about what makes a good password. Clearly the best password is the one
that provides the most defence against password attacks. For brute force
attacks, the key factor is the size of the key space, that is, the
amount of passwords that are possible. The more characters that make up
a password, the better, and the more characters that a password can be
made up of, the better.

For a dictionary attack, the important thing is that the password is as
random as possible, so that it is unlikely to turn up in any generated
dictionary of likely passwords -- avoid passwords that contain
dictionary words, names, places and even dates. For the last type of
attack its important to make it memorable enough so that you're not
tempted to write it down anywhere. This is the big problem with
passwords, keeping it memorable enough so that you can keep it in your
brain, but complex and random enough to not be easily generated by an
attacker.

One popular method is generating an acronym, pick some phrase you'll
remember and take the first letter of each word, throw in some
punctuation and you've got something that's easy for you to remember,
but looks completely random to someone who doesn't know how the password
was created. For example, say you're a Bob Dylan fan, you're terrible at
remembering passwords, but you know all the words to Highway 61
Revisited -- you take the first letter of each word in the first line
("God said to Abraham: "Kill me a son") add the name of the song and end
up with a password that looks like GstAKmash61r.

Thats a 12 character password with lower and upper case letters, as well
as digits that looks pretty indistinguishable from any other string of
characters to anyone who doesn't know where it came from. This makes the
method you used your effective password, since it's all you need to
regenerate the password. Even if you don't happen to know all the lyrics
to your song, you can stick them to your cubicle wall and no one will
think anything of it.

Tips:

The Good
    
* The more possible things your password can be, the harder it is to
  brute force -- so be creative: use a mix of letters, numbers and
  punctuation.
    
* Change your password from time to time. While this doesn't make any
  single password more secure, it can decrease the damage done should
  someone get a hold of it and means that old password information gives
  an attacker nothing.
    
* Use memory tricks such as acronyms or mnemonics to help you remember a
  complicated password.
    
* Use different passwords for different accounts. You wouldn't use your
  PIN number as your video store password, would you? So avoid having
  the same password for Web mail and Internet banking.
    
* Break your password up into sections and have a different rule for
  each, this will help make a more random looking password.

The Bad
    
* Don't assume that because you've done nothing to draw the eye of a
  password cracker you're safe; most password cracking attempts are made
  by people who neither know or care anything about you.
    
* Don't use words that exist in any dictionary in any language anywhere
  in the world.
    
* Don't use names, even if they're uncommon.
    
* Common misspellings, or replacing letters with numbers that look
  similar, eg. 1 for L or 0 for O gives you a negligible increase in
  password strength.
    
* Don't leave your password as the default, lists of default passwords
  for a whole range of systems are commonly available on the Internet.
    
* Don't use sequences of characters that appear in a run on the
  keyboard, such as qwerty or asdf.

The Ugly

The top 10 passwords found in a UK study, as published on the blog
Modern Life Is Rubbish are as follows. If you see your password here, or
something similar, you might want to think about a change:

   1. 123
   2. password
   3. liverpool
   4. letmein
   5. 123456
   6. qwerty
   7. charlie
   8. monkey
   9. arsenal
  10. thomas

Copyright 2007 CNET Networks, Inc. All rights reserved.

_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]