Section 1.1. Passwords

1.1. Passwords

Passwords are a mechanism designed to authenticate a userthat is, to bind the identity of the user to an entity on the computer (such as a process). A password is a sequence of characters that confirms the user's identity.^[3] If an attacker guesses the password associated with an identity, the attacker can impersonate the legitimate user with that identity.

^[3] Matt Bishop, Computer Security: Art and Science (Reading, MA: Addison Wesley Professional, 2003).

Problems with passwords are well known; one of the earliest ARPANET RFCs^[4] warned that many passwords were easy to guess. But a well-known problem is usually an unsolved problem. Reid's lament involved someone guessing a password on a poorly maintained system, and from there intruding upon a large number of systems at a major university. In the early 1990s, CERT announced that many attackers were using default administrative passwords to enter systems.^[5] In the early 2000s, a CERT advisory reported a "back door" account in a database system with a known password.^[6] SANS includes password selection issues as two of the current Top 20 Vulnerabilities, as well as several exploits that depend upon accounts with no passwords or with passwords set by the vendor.^[7] For example, the SQLSnake/Spida Worm exploits an empty password for the default administrative account for Microsoft SQL Server.

^[4] Bob Metcalfe, "The Stockings Were Hung by the Chimney with Care," RFC 602 (1973).

^[5] CERT, "Internet Intruder Warning," CERT Advisory CA-1990-02 (Mar. 19, 1990); http://www.cert.org/advisories/CA-1990-02.html.

^[6] CERT, "Interbase Server Contains Compiled-In Back Door Account," CERT Advisory CA-2001-01 (Jan. 11, 2001); http://www.cert.org/advisories/CA-2001-01.html.

^[7] SANS, "Twenty Most Critical Internet Security Vulnerabilities (Updated)The Experts Consensus," SANS (Oct. 8, 2004); http://www.sans.org/top20.

The principle of psychological acceptability, taken literally, says that passwords should be unnecessary. But the use of passwords to protect systems adds minimal overhead for people who are using the system, provided that the passwords are easy to remember. To be effective, the passwords must also be difficult to guess. So, how can passwords be made easy to remember, yet difficult to guess?

One difficulty in solving this problem lies in balancing the ability of a human to remember a password that an attacker will find difficult to guess against the ingenuity of the attacker. The attacker has the advantage. People choose passwords that they can remember easily. Unfortunately, these are usually easy to guess. Experiments by Morris and Thompson^[8] and others^[9] were able to guess user passwords for between 25% and 80% of the users. The users typically picked dictionary words, names, and other common words. Amusingly, in one experiment, the analyst was able to determine who was dating whom, because many passwords were, or were derived from, the names of the users' partners.

^[8] Robert Morris and Ken Thompson, "Password Security: A Case History," Communications of the ACM 22:11 (Nov. 1979), 594597.

^[9] Matt Bishop and Daniel Klein, "Improving System Security via Proactive Password Checking," Computers & Security 14:3 (Apr. 1995), 233249.

Part of the problem is that different users have different ideas of what constitutes a password that is difficult to guess.^[10] When warned not to use names as passwords, one user changed his password to "Barbara1". Foreign words are also common; one guessed password was a Mandarin phrase meaning "henpecked husband." Another was the Japanese word for "security." In the latter case, the American user was stunned when someone guessed the password quickly, because he never expected an attacker to try a Japanese word.

^[10] See Chapter 32 of this volume, by Anne Adams and M. Angela Sasse, "Users Are Not the Enemy."

System administrators, system programmers, and others who have been the victims of attacks involving guessed passwords, or who run programs that guess passwords as a preventative measure, usually understand the need for passwords that are difficult to guess, and appreciate how resourceful password guessers can be. Users of home systems, who surf the Web, exchange email, write letters, print cards, and balance budgets, may or may not understand the need for good passwords, and almost always underestimate how resourceful attackers can be. The success of war driving , in which people attempt to piggyback onto wireless networks, attests to this. Most home wireless access points are left configured with default settings that allow anyone to use the network without a password and further allow the network to be administered with the default password. Many users simply plug in their equipment, notice that it works, and never bother to read the accompanying manuallet alone configure their equipment for secure operation. These users do not make this choice deliberately, and are generally unaware of the consequences.

Attempts to educate users meet with varied success. The most successful methods involve providing immediate feedback to the user, with an explanation of why the proposed password is poor. This must be done carefully. One organization circulated a memorandum describing how to select good passwords. The memo gave several examples. Attackers simply tried the passwords used in the examples, and found that several users had used them.

The proper selection of passwords is a classic human factors problem . Assigning passwords selected at random can be shown to maximize the expected time needed to guess a password. But passwords with randomly selected characters are difficult to remember. So, random passwords, and especially multiple random passwords, result in people either writing the passwords down on paper or forgetting them. Either outcome defeats the purpose of passwords. A proper selection method must somehow balance the need to remember a password with the need to make that password as random as possible.

Proactive password checking subjects a user-proposed password to a number of tests to determine how likely the password is to be guessed. This is a viable approach, provided that the tests are well drawn. One potential problem is that an attacker can determine from the tests which potential passwords need not be tried. The set of potential passwords must be large enough to prevent attackers from trying them all. A USENET posting^[11] illustrated the necessity of this requirement. It described a (mock) set of characteristics of passwords that were difficult to guess. It then asserted that only one word met these criteria, so everyone had to use the same password!

^[11] Frans Meulenbroeks, "Rules for the Selection of Passwords," rec.humor.funny (July 3, 1992); http://www.netfunny.com/rhf/jokes/92q3/selpass.html.

Various attempts to balance the needs of memory and randomness mix randomly generated passwords with human-selected passwords. One common approach, used by Microsoft, Apple, and other vendors, is to supply a "wallet" or "key ring" for passwords. The user enters her passwords, and their associated target, into the key ring, and chooses a "master password" to encipher the ring. Whenever a password is needed, the user supplies the single master password, and the system deciphers the appropriate entry in the ring. This allows the user to save many passwords at the price of remembering only one. An obvious extension allows the passwords on the key ring to be generated randomly.

This approach tries to implement the principle of psychological acceptability by making passwords as invisible as possible. The user needs to remember only one password for all her different systems. But an attacker without access to the key ring must discover a different password for each system for that user. If the passwords are chosen randomly, and the set of possible passwords is large enough, guessing the chosen password is highly unlikely.

There are two important weaknesses to this approach. The first lies in the phrase "without access to the key ring." If the attacker gains that access, she needs to guess only the master password to discover all the other passwords. So, the problem of password guessing has not been eliminated; it has been reduced to the user having to select one password that is difficult to guess. The second problem springs from this need. What happens if the user forgets her master password? In most implementations of the key ring, the system cannot recover the master password (because if the system can do so, an attacker can also). Hence, the user must change all passwords on the key ring, as the originals cannot be recovered either, and select a new master password.

This demonstrates a failure to meet one aspect of the principle of psychological acceptability. If the security mechanism depends upon a human, what happens if the human fails? Logic dictates that this should never happen, and if it does, it is the human's problem. But logic must account for the frailties of human beings, and the principle of psychological acceptability speaks to human failure. How do you recover?

Another approach is to base authentication on criteria in addition to a password, such as possession of a smart card or a biometrics measurement. In principle, if a password is discovered, the attacker cannot immediately gain access to the protected system. Again, the principle of psychological acceptability comes into play; the additional requirement must be acceptable. Swiping an identification card, or entering a number displayed on a token, might be acceptable. In most cultures and computing environments, testing the DNA of the user would not be.

Other authentication techniques abound. The chapters in Part II of this book, Authentication Mechanisms, discuss several, including variants on passwords. The key question that one must answer in order to use the authentication techniques described in those chapters is whether the techniques balance effectiveness and usability to the satisfaction of both the users and the managers.