9.2 Picking a Great Password

9.2 Picking a Great Password

As we saw in Chapter 6, passwords are the simplest form of authentication. Passwords are a secret that you share with the computer. When you log in, you type your password to prove to the computer that you are who you claim to be. The computer ensures that the password you type matches the account that you have specified. If they match, you are allowed to proceed.

Using good passwords for your Internet services is a first line of defense for your privacy. If you pick a password that is easy to guess, then somebody who is targeting you will find it easier to gain access to your personal information. If you use the same password on a variety of different services, then a person who is able to discover the password for one of your services will be able to access other services.

9.2.1 Why Use Passwords?

Historically, most desktop personal computers did not use passwords. PCs were designed for use by a single person; in this environment, passwords were seen as an unwanted hassle.

If you are like most computer users, you probably got your first password when you got your first Internet email account: your password prevented other people from logging in to your Internet account and downloading your email. As your use of the Web grew, you were probably asked to create accounts on various web sites. For example, if you buy a book from Amazon, the Amazon web site will ask you for a password so that other users will not be able to view the books you have ordered.

Over the years, passwords have become a staple of desktop computers. Most versions of Microsoft Windows ask you to enter a username and a password before they will allow you to run a program. Windows uses the username and password in a limited fashion to control access to some personal information on your system. Likewise, the Macintosh and Unix operating systems can be programmed to use passwords as well.

Although passwords are currently one of the most important elements of computer security, users often receive only cursory instructions about selecting them.

As a user, you should be aware that by picking a bad password or by revealing your password to an untrustworthy individual you are potentially compromising your computer's security completely. If you are a system administrator, you should be sure that all of your users are familiar with the issues raised in this section.

9.2.2 Bad Passwords: Open Doors

A bad password is any password that can be guessed.

In the movie Real Genius , a computer recluse named Laszlo Hollyfeld breaks into a top-secret military computer over the telephone by guessing passwords. Laszlo starts by typing the password AAAAAA, then trying AAAAAB, then AAAAAC, and so on, until he finally finds the password that matches.

Real-life computer crackers are far more sophisticated. Instead of typing each password by hand, crackers use computer programs that automate this process. Instead of trying every combination of letters, starting with AAAAAA (or whatever), crackers use hit lists of common passwords such as wizard or demo. Even a modest home computer with a good password guessing program can try thousands of passwords in less than a day's time. Some hit lists used by crackers are several hundred thousand words in length.^[1] Therefore, a password that anybody on the planet might use for a password is probably a password that you should avoid.

^[1] In contrast, if you were to program a home computer to try all 6-letter combinations from AAAAAA to ZZZZZZ, it would have to try 308,915,776 different passwords. Guessing one password per second, that would require nearly ten years.

What are the passwords that you should avoid? Some examples are your name, your partner's name, or your pets' names. Other bad passwords are these names backwards or followed by a single digit. Short passwords are also bad, because there are fewer of them; they are, therefore, more easily guessed. Especially bad are "magic words" from computer games, such as xyzzy. These magic words look secret and unguessable, but in fact they are widely known. Other bad choices for passwords include phone numbers, characters from your favorite movies or books, local landmark names, favorite drinks, or famous computer scientists (e.g., "Simson" or "Spaf"). See Bad Passwords later in this chapter for more bad choices. These words backwards or capitalized are also weak. Replacing the letter "l" (lowercase "L") with "1" (numeral one), or "E" with "3," adding a digit to either end, or other simple modifications of common words are also weak. Words in foreign languages are no better. Dictionaries for dozens of languages are available for download on the Internet and dozens of bulletin board systems.

In general, you need to be more careful when selecting and using passwords used for web-based services than when selecting and using passwords used to secure dialup services. This is because high-speed networks make it possible for attackers to guess literally hundreds or even thousands of passwords per second. By contrast, it is difficult to guess more than two or three dialup passwords per minute, because a new phone call usually needs to be placed for every two or three attempts.

Many web services will make a minimal attempt to prevent users from picking bad passwords. For example, some services will reject a password that contains your username. Other services will require that you pick a password that has both letters and numbers, or a password that contains a symbol such as a "$" or a "*". Unfortunately, there is no consistency among online services some services require that you have symbols or special characters in your passwords, while other services reject passwords with these characters.

9.2.3 Smoking Joes

Surprisingly, experts believe that a significant percentage of all computers without password content controls contain at least one account where the username and the password are the same. Such accounts are often called "Joes." Joe accounts are easy for crackers to find and trivial to penetrate. Most computer crackers can find an entry point into almost any system simply by checking every account to see whether it is a Joe account. This is one reason why it is dangerous for a computer system or a service provider to make a list of valid usernames available to other users or outsiders.

9.2.4 Good Passwords: Locked Doors

Good passwords are passwords that are difficult to guess. The best passwords are difficult to guess because they:

• Have both uppercase and lowercase letters

• Have digits and/or punctuation characters as well as letters

• May include some control characters and/or spaces

• Are easy to remember, so they do not have to be written down

• Are at least seven or eight characters long

• Can be typed quickly, so somebody cannot determine what you type by watching over your shoulder

It's easy to pick a good password. Here are some suggestions:

• Take two short words and combine them with a special character or a number, like robot4my or eye-con.

• Put together an acronym that's special to you, like Notfsw (None Of This Fancy Stuff Works), auPEGC (All Unix programmers eat green cheese), or Ttl*Hiww (Twinkle, twinkle, little star. How I wonder what. . .).

Of course, robot4my, eye-con, Notfsw, Ttl*Hiww, and auPEGC are now all bad passwords because they've been printed here.

Although some people like to pick passwords that are significantly longer than eight characters, these passwords rarely improve security over well-chosen passwords with seven or eight characters. If a password is chosen from eight random letters and numbers, then there is virtually no chance that the password will be guessed by a brute-force attack. This is because there are 36⁸ or 2,821,109,907,456 possible 8-character passwords using simply lowercase letters and numbers; even if you could guess 1000 passwords each second, it would take 89 years to try all possible combinations. But a second reason that passwords longer than eight characters frequently do not improve security is that many computer systems truncate passwords at eight characters and ignore the additional characters that are entered.

Picking a good password is only half the battle. Once you have a good password, your next job is to keep your password a secret, so that you are the only person who has control of it.

9.2.5 Writing Down Passwords

There is a tired story about a high school student who gets a password to his school's computer, logs in after hours, and changes his grades. How does the student get the password? By walking into the school's office, looking at an academic officer's terminal, and writing down the username and password handwritten on a sticky note.

Unfortunately, the story is true thousands of times over.

Users are admonished: "Never write down your password." The reason is simple if you write down your password, somebody else can find it and use it to break into your computer. A memorized password is more secure than the same password written down, simply because there is less opportunity for other people to learn it.

On the other hand, a password that must be written down to be remembered is quite likely a password that is not going to be guessed easily. If you write your password on something kept in your wallet, the chances of somebody who steals your wallet using the password to break into your computer account are remote indeed.^[2]

^[2] Unless, of course, you happen to be an important person, and your wallet is stolen or rifled as part of an elaborate plot. In their book Cyberpunks, authors John Markoff and Katie Hafner describe a woman named "Susan Thunder" who broke into military computers by doing just that: she would pick up officers at bars and go home with them. Later that night, while the officer was sleeping, Thunder would get up, go through the man's wallet, and look for telephone numbers, usernames, and passwords.

If you must write down your password, then at least follow a few precautions:

• When you write it down, don't identify your password as being a password.

• Don't include the name of the account, network name, or phone number of the computer on the same piece of paper as your password.

• Don't attach the password to the terminal, keyboard, or any part of your computer.

• Don't write your actual password. Instead, disguise it, by mixing in other characters or by scrambling the written version of the password in a way that you can remember. For example, if your password is Iluvfred, you might write "fredIluv" or "vfredxyIu" or perhaps "Last week, I lost Uncle Vernon's `fried rice & eggplant delight' recipe remember to call him after 3 p.m." to throw off a potential wallet-snatcher.^[3]

  ^[3] We hope that last one required some thought. The 3 p.m. means to start with the third word and take the first letter of every word. With some thought, you can come up with something equally obscure that you will remember.

• Consider using an encrypting password-keeping program on a handheld computer (see Table 9-1).

Here are some other things to avoid:

• Don't record a password online (in a file, in a database, or in an email message), unless the password is encrypted.

• Likewise, never send a password to another user via electronic mail. Many attackers scan email files for the word "password," hoping to find an email message where one person is telling another person a password for another computer.

9.2.6 Strategies for Managing Multiple Usernames and Passwords

In today's world we are forced to memorize literally hundreds of public and private identifiers and authenticators. There are telephone numbers, birthdates, bank account numbers, usernames, passwords, and more.

The simplest way to manage this sea of information is to simplify it. For example, you might use the same username for your office computer, your home computer, and all of the web sites where you need to register. And to simplify things further, you might use the same password at all of these locations as well.

Unfortunately, there are many problems that arise when you use the same usernames and passwords at multiple locations:

• If a password is compromised, an attacker can use the compromised password to gain access to multiple systems.

• The management of a computer system usually has the ability to access the usernames and passwords of its users.^[4] If you use the same username and password on multiple computers, the management of one of these computers will inevitably be able to access passwords that are stored unencrypted. One computer system operator might use your username and password to gain access to another system.

  ^[4] Many computer systems store passwords unencrypted in a database, making it easy for management to access the usernames and passwords of their users. But even on computer systems where passwords are stored encrypted, it is possible for management to access the passwords of users: management simply modifies the computer's software so that passwords are saved when they are typed.

• Many computer systems place incompatible restrictions on the passwords that you can pick. For example, some web sites require that you enter a password that contains a special symbol, such as a "%" or a "&". Other web sites specifically do not allow passwords to be typed with these characters.

• If you decide to change the password for some of the systems, you now need to remember which systems use the old password and which use the new password.

As a result, even if you try to use the same password on every computer, you'll soon find that you have multiple passwords that you need to remember. Here are some strategies for dealing with all of that data.

9.2.6.1 Password classes

One strategy for managing passwords is to divide them into different classes for example, your standard password, your standard banking password, your standard email passwords, your online gaming password, and then a "low security" password that you use for everything else.

9.2.6.2 Password bases

Another strategy for managing passwords is to have a base password that can be modified for each different service. For example, your base password might be kxyzzy followed by the first letter of the name of the computer you're using. For the web site Amazon.com, your password might be kxyzzya, while on Hotmail your password might be kxyzzyh. However, you shouldn't be quite this obvious in your modifications as the pattern will be apparent to an observer.

9.2.6.3 Password rotation

Many people rotate their passwords. That is, all of the accounts that they create in the fall of one year use a particular password, then when winter comes, they switch to a second password, and when spring comes, they switch to a third password. This kind of password rotation is marginally more secure than using the same password on every computer. However, password rotation requires that you remember which sites have the new password and which have the old one. Eventually, password rotation is just as difficult as having a different password for each site.

9.2.6.4 Password keepers

Finally, you can use a radically different password for each of your accounts, but track each of your passwords in a special-purpose, password-keeping program. These programs remember all of your accounts, each account's password, the date that the password was created, and any other pertinent information. This information is then encrypted using a single password.

Password keeper functionality is built into the most recent versions of Netscape Navigator and Microsoft Internet Explorer. They are available in third-party "wallet" programs, such as Gator, that interoperate with these browers. Password keepers are also available as stand-alone programs for computers running the Windows, Macintosh, and PalmOS operating systems (see Table 9-1).

It is also possible to build your own password safe with PGP. Simply encrypt a text file of accounts and passwords with your PGP key, and decrypt it when you want to read or edit the list. Remember to use the "wipe" option when deleting the decrypted file, and don't leave the file decrypted on disk any longer than strictly necessary.

9.2.7 Sharing Passwords

There are many good reasons to restrict who has access to your password. Because your password is the primary lock for your personal information, if you share your password, you are implicitly giving other people access to your data. In many circumstances, you are also giving that person the ability to impersonate you either by sending out email with your name, or by purchasing things on your behalf.

Of course, we all share our house and office keys from time to time. Likewise, we all need to share the occasional password. The strategies in this section are designed to help you make intelligent choices to minimize the potential damage of this risky behavior.

9.2.7.1 Be careful when you share your password with others!

Giving somebody your password is very similar to giving that person a key to your house or office: you need to trust that person well, because that person could enter your house when you are not there and take whatever he wants.

When you share a password with somebody, make sure the person understands the trust that you are placing in him. Don't treat your password lightly otherwise, he might follow your example and do the same. For example, don't shout your password across the room. If you write the password down on a piece of paper, fold the paper in half when you hand it to the person as a way of indicating that the information should be guarded. And never email a plaintext password email can be accidentally misdirected, misdelivered, and unintentionally forwarded to third parties.

9.2.7.2 Change your password when the person no longer needs it

If you share your house key, you run the risk that the key might be copied. One way to protect against this is by using keys that are hard to duplicate. But a better approach is to change your locks when your friend no longer needs access. Changing locks can be an expensive and time-consuming operation, but it's quite easy to change passwords. Therefore, after you have finished sharing a password, you should change it.

9.2.7.3 Resist social engineering attacks

One of the most common ways for attackers to steal passwords is to use social engineering attacks that is, to ask a lot of people for their passwords, and see who responds. Crooks know that if they ask a few hundred people for their password, it's likely that somebody will answer.

Here are some common social engineering techniques:

• An email message arrives that claims to be from your Internet service provider. The message informs you that you have been asked to "beta test" a new service. There is a link given at the bottom of the email message. When you click the link, you are taken to a web page where you are asked to sign in with your username and password. After you sign in, you are told that your account is not yet authorized; try again later. In fact, the web server where you typed your username and password belongs to an attacker, who immediately logs into your ISP account and changes your password, locking you out in the process.

• A person claiming to be a new employee calls the company's computer support group and says that he cannot access his account. The support group tells the employee the password. The caller thanks the support person profusely, then hangs up. In fact, the person who called up is not the new employee, but an outsider who saw a press release on the company's web site welcoming the new employee to the company. That outsider now has access to the employee's email and files.

• You get a phone call at your desk from a person who claims to be in your company's IT group. The person tells you that there is a problem with the company's backup system and it hasn't been able to record your information for several weeks. They think that the problem is your password, and ask that you change your password to "pass1234" so that they can diagnose the problem. You comply giving the outsider access to your account in the process.

Social engineering attacks succeed because people want to be helpful and many computer users lack sufficient understanding of proper security rules and procedures.

9.2.8 Beware of Password Sniffers and Stealers

Even if you pick a good password and don't tell it to another human, your password might still be stolen by hostile software.

9.2.8.1 Password sniffers

Passwords can be intercepted as they move through the Internet. This interception is performed by programs known as password sniffers. These programs work by monitoring all of the Internet traffic that moves across a particular connection and recording the packets belonging to protocols that send passwords without using encryption.

Every Internet protocol that uses unencrypted passwords can be vulnerable to password sniffers. Specific protocols targeted by password sniffers include:

• FTP (File Transfer Protocol)

• HTTP (Hypertext Transfer Protocol)^[5]

  ^[5] HTTP 1.1 has a challenge-response protocol that does not require the user's password be sent in the clear over the network, but to use this system both the web server and the web client must support HTTP 1.1, and the challenge-response protocol must be specifically enabled on the web server. To date, few web services use this feature.

• POP (Post Office Protocol)

• TELNET (Remote Terminal Protocol)

• RLOGIN (Remote login for UNIX machines)

Password sniffers have been an ongoing problem on the Internet since the late-1980s. Sniffers have been found on local area networks at universities, corporations, and government agencies. Sniffers have been found on the backbones of Internet service providers, giving them access to thousands of new passwords every minute. Sniffers have even been found on classified military networks.

There is no way to know if your password is being captured by a password sniffer. Nevertheless, you can protect yourself from sniffers by avoiding protocols that send passwords in cleartext. For every protocol that is susceptible to password sniffing, there is an alternate protocol that uses encryption to protect passwords as they are sent. For example:

Because the cryptographic protocols require higher computational overhead and are frequently more difficult to set up, many online services simply do not make these services available to their customers. Other online services make the cryptographic protocols available but do not advertise them. But there are always choices on the Internet. For example, as of this writing, the web-based email providers HotMail, Yahoo, and AOL do not allow users to download their email using HTTPS, but instead require that the users send usernames and passwords using HTTP. But other web-based email providers, including Hushmail, do provide a higher level of security.

9.2.8.2 Keystroke recorders and keyboard sniffers

Instead of compromising your Internet connection, an attacker can compromise your very computer system with a program or a physical device that records your keystrokes. These devices can record everything you type, including your username, your password, the credit card numbers that you type, and your correspondence. Some devices store the information until it is retrieved at a later point in time, while other devices attempt to covertly transmit the information to somewhere else on the Internet.

Keystroke recorders can be exceedingly difficult to detect. For example, the KeyKatch manufactured by Codex Data Systems (shown in Figure 9-1) is a device the size of a spool of thread that attaches between a keyboard and a desktop computer. The device records every keystroke typed and cannot be detected except by physical inspection. Such devices can be used for industrial espionage, for spying on household members, or for satisfying prurient interests. On the other hand, the KeyKatch can also be used as a backup device, because it will keep a copy of everything you type and be able to recreate any document or email message should the information be accidentally lost as the result of a computer failure.

Figure 9-1. The KeyKatch is a small device that attaches between a keyboard and a desktop computer and can record more than two million keystrokes (reprinted with permission)

Some programs can be set up to record the information stored on a computer's screen at regular intervals. These screen recorders provide another way to covertly monitor a computer user.

Some keystroke recording programs are sold on the open market for investigation and surveillance work. These programs are also distributed by the computer underground. For example, Back Orifice 2000 is a complex espionage program that allows remote monitoring, screen scraping, file transfer, and encrypted communications; it also supports a plug-in architecture for additional exploits.

^[a] "The Privacy Practices of Web Browser Extensions," by David M. Martin, Jr., Richard M. Smith, Michael Brittain, Ivan Fetch, and Hailin Wu. December 6, 2000, The Privacy Foundation, p. 14.

^[b] Ibid, p. 25.

9.2.8.3 Beware of public terminals

Whereas it is relatively unlikely that your home or office computer would be compromised with a keyboard sniffer or screen recorder program, this is not the case with public Internet terminals at trade shows, libraries, and many Internet kiosks. Although it is dangerous to generalize, public Internet terminals have a significantly higher chance of being infected with hostile programs because these terminals are often poorly monitored and because some programs (such as Back Orifice) are so easily installed.

To protect yourself from the hostile programs running on public terminals, you may wish to follow these precautions:

• Do not use public terminals for the purpose of accessing confidential information sources.

• If you must use a public terminals while traveling on an extended trip, get a disposable web mail account for the occasion. Do not forward your email to the web mail account. Instead, tell your correspondents of the new address and have them use the new address only for the duration of the trip.