2.2 Password Management

When granting access to a computer system, such access can be restricted by means of controls based on various kinds of identification and authorization techniques. Identification is a two-step function: (1) identifing the user, and (2) to authenticating (validate) the user 's identity. The most basic systems rely on passwords only. These techniques do provide some measure of protection against the casual browsing of information, but they rarely stop a determined criminal. A computer password is much like a key to a computer. Allowing several people to use the same password is like allowing everyone to use the same key. More sophisticated systems today use SmartCards and/or biometric evaluation techniques in combination with password usage to increase the difficulty of circumventing password protections .

The password methodology is built on the premise that something you know could be compromised by someone getting unauthorized access to the password. A system built on something you "know" (i.e., a password) combined with something you "possess" (i.e., a SmartCard) is a much stronger system. The combination of knowing and possessing, combined with "being" (i.e., biometrics), provides an even stronger layer of protection. Without having all three elements, even if someone could obtain your password, it is useless without the card and the right biometrics (e.g., fingerprint , retinal scan).

2.2.1 SmartCards

In general, there are two categories of SmartCards: magnetic strip cards and chip cards. As its name suggests, the magnetic strip card has a magnetic strip containing some encoded confidential information destined to be used in combination with the cardholder's personal code or password. The Chip-Card uses a built-in microchip instead of a magnetic strip. The simplest type of ChipCard contains a memory chip containing information, but has no processing capability. The more effective type of ChipCard is the "smart" card, which contains a microchip with both memory to store some information and a processor to process it. Hence, the term SmartCard . Such cards are often used in combination with cryptographic techniques to provide even stronger protection.

2.2.2 Biometric Systems

Biometric systems use specific personal characteristics (biometrics) of an individual (e.g., a fingerprint, a voiceprint, keystroke characteristics, or the "pattern" of the retina ). Biometric systems are still considered an expensive solution for the most part, and as a result of the cost, they are not yet in common use today. Even these sophisticated techniques are not infallible. The adage that "if someone wants something bad enough, he will find a way to break in and take it" still holds true.

2.2.3 Characteristics of Good Passwords

Passwords should be issued to an individual and kept confidential. They should not be shared with anyone . When a temporary user needs access to a system, it is usually fairly simple to add him or her to the list of authorized users. Once the temporary user has finished his or her work, the user ID must be deleted from the system. All passwords should be distinctly different from the user ID and, ideally , they should be alphanumeric and at least six characters in length. Administrators should require that passwords be changed regularly, at least every 30 days. It is possible to warn users automatically when their password expires . To ensure that users enter a new password, they should be restricted in their ability to enter the system after the expiration date, although they may be allowed a limited number of grace-period logins.

Passwords must be properly managed. This entails using a password history list that maintains a list of all of the passwords that have been used in the past 6 to 12 months. New passwords should be checked against the list and not accepted if they have already been used. It is good security practice for administrators to make a list of frequently used forbidden passwords, such as names , product brands, and other words that are easy to guess and therefore not suitable as passwords. This list will be used in the same way as the history list. Only the system manager should be able to change the password history and forbidden lists.

In modern computing environments, most operating systems conform to these standards and generate passwords automatically. Passwords should be removed immediately if an employee leaves the organization or gives his or her notice of leaving. Finally, it is important to note that extreme care should be taken with the password used by network and system administrators for remote maintenance. Standard passwords that are often used to get access to different systems, for maintenance purposes, should always be avoided.

2.2.4 Password Cracking

Security experts across industry, government, and academia cite weak passwords as one of the most critical Internet security threats. Although many administrators recognize the danger of passwords based on common family or pet names, sexual positions , and so on, far fewer administrators recognize that even the most savvy users expose networks to risk as a result of the use of inadequate passwords. Data gathered and reported at one of the largest technology companies in the world, [6] where internal security policy required that passwords exceed eight characters, mix cases, and include numbers or symbols, revealed the following startling data:

L0phtCrack obtained 18% of the user passwords in only 10 minutes.
Within 48 hours, 90% of all the passwords were recovered using L0phtCrack running on a very modest Pentium II/300 system.
Administrator and most Domain Admin passwords were also cracked.

Password cracking refers to the act of attempting penetration of a network, system, or resource with or without using tools to unlock a resource secured with a password. Crack-resistant passwords are achievable and practical, but password auditing is the only sure way to identify user accounts with weak passwords. The L0phtCrack Software (now called LC4, described as follows ) offers this capability.

Windows NT L0phtCrack (LC4)

LC4 is the latest version of the password auditing and recovery application, L0phtCrack. LC4 provides two critical capabilities to Windows network administrators:

It helps system administrators secure Windows-authenticated networks through comprehensive auditing of Windows NT and Windows 2000 user account passwords.
It recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.

LC4 supports a wide variety of audit approaches. It can retrieve encrypted passwords from stand-alone Windows NT and 2000 workstations, networked servers, primary domain controllers, or Active Directories, with or without SYSKEY installed. The software is capable of sniffing encrypted passwords from the challenge/response exchanged when one machine authenticates to another over the network. This software allows administrators to match the rigor of their password audit to their particular needs by choosing from three different types of cracking methods: dictionary, hybrid, and brute force analysis. These methods are discussed in the next section. Finally, using a distributed processing approach, LC4 provides administrators with the capability to perform time-consuming audits by breaking them into parts that can be run simultaneously on multiple machines.

Password Cracking for Self-Defense

Using a tool such as LC4 internally enables an organization's password auditor to get a quantitative comparison of password strength. This is done by reviewing LC4's report on the time required to crack each password. A Hide feature even allows administrators the option to know whether a password was cracked without knowing what the password was. Password results can be exported to a tab-delimited file for sorting, formatting or further manipulation in applications such as Microsoft Excel. LC4 makes password auditing accessible to less- experienced password auditors by using an optional Wizard that walks new users through the process of configuring and running their password audit, letting them choose from preconfigured configurations. As mentioned previously, when performing the cracking process, three cracking methods (dictionary, hybrid, and brute force analysis) are used. In his Web-based article [7] " Hacking Techniques: Introduction to Password Cracking ," Rob Shimonski provides an excellent description of these three methods, as follows:

Dictionary attack . A simple dictionary attack is by far the fastest way to break into a machine. A dictionary file (a text file full of dictionary words) is loaded into a cracking application (such as L0phtCrack), which is run against user accounts located by the application. Because most passwords are simplistic, running a dictionary attack is often sufficient to do the job.
Hybrid attack . Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "cat"; second month password is "cat1"; third month password is "cat2"; and so on.
Brute force attack . A brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password. L0phtcrack can also be used in a brute force attack.

Unix "Crack"

Crack is a password-guessing program that is designed to quickly locate insecurities in Unix password files by scanning the contents of a password file, looking for users who have misguidedly chosen a weak login password. This program checks Unix operating system user passwords for guessable values. It works by encrypting a list of the most likely passwords and checking to see if the result matches any of the system users' encrypted passwords. It is surprisingly effective. The most recent version of Crack is Version 5.0.

Crack v5.0 is a relatively smart program. It comes preconfigured to expect a variety of crypt() algorithms to be available for cracking in any particular environment. Specifically, it supports "libdes" as shipped, Michael Glad's "UFC" in either of its incarnations (as "ufc" and as GNU's stdlib crypt), and it supports whatever crypt() algorithm is in your standard C library. Crack v5.0 takes an approach where the word guesser sits between two software interfaces:

Standard Password Format (SPF)
External Library Crypt Interface Definition (ELCID)

When Crack is invoked, it first translates whatever password file is presented to it into SPF; this is achieved by invoking a utility program called " xxx 2spf." The SPF input is then filtered to remove data that has been cracked previously, is sorted, and then passed to the cracker, which starts generating guesses and tries them through the ELCID interface, which contains a certain amount of flexibility to support salt collisions (which are detected by the SPF translator) and parallel or vector computation.

John the Ripper

John the Ripper is a password cracker. Its primary purpose is to detect weak Unix passwords. It has been tested with many Unix-based operating systems and has proven to be very effective at cracking passwords. Ports of this software product to DOS and Windows environments also exist. To run John the Ripper, you must supply it with some password files and optionally specify a cracking mode. Cracked passwords will be printed to the terminal and saved in a file called /user_homedirectory/john.pot. John the Ripper is designed to be both powerful and fast. It combines several cracking modes in one program and is fully configurable for your particular needs. John the Ripper is available for several different platforms, which enables you to use the same cracker everywhere. Out of the box, John the Ripper supports the following ciphertext formats:

Standard and double-length DES-based format
BSDI's extended DES-based format
MD5-based format (FreeBSD among others)
OpenBSD's Blowfish-based format

With just one extra command, John the Ripper can crack AFS passwords and WinNT LM hashes. Unlike other crackers, John does not use a crypt(3)-style routine. Instead, it has its own highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used could not be implemented in a crypt(3)-style routine because they require a more powerful interface (bitslice DES is an example of such an algorithm).

2.2.5 Password Attack Countermeasures

One recommendation for self-defense against password cracking is to perform frequent recurring audits of passwords. It is also often a good idea to physically review workstations to see if passwords are placed on sticky notes or hidden under a keyboard, tacked on a bulletin board, and so on. You should set up dummy accounts and remove the administrator account. The administrator account is sometimes left as bait for tracking someone who has been detected attempting to use it. Finally, set local security policy to use strong passwords and change them frequently.