2.3 Passwords A Key Point for Good Security 
Good passwords and good password policy are absolutely critical to security on any computer. Some of this will be familiar to experienced SysAdmins, but everyone gets busy at times, so this is a good time to review these issues and make the necessary changes. Even the author's systems were in need of a password "tune-up." It is suggested that you advise your users not to let anyone know their passwords nor see them type passwords in. Explain that they should not tell a significant other, boss, or even you what password is being used. Ask each of them to report to you if anyone tries to obtain a password or if someone might have obtained one. Explain that your interest is only in security and that user's name in any of his reports of problems will be kept confidential. 2.3.1 Avoiding Weak and Default Passwords
Some distributions of Linux fail to put passwords on some system accounts, though modern popular distributions do not seem to have this problem. Still, you certainly want to check by inspecting the text files /etc/passwd and /etc/shadow. The second colon-separated field of /etc/passwd should contain either a "!!" or "*", indicating that the account is disabled or an "x" indicating that a shadowed password is being used. Similarly, the second field of /etc/shadow should contain an encrypted password or one of these sequences. It is unfortunate that so often unsuitable passwords are used (and allowed), that have the effect of eliminating all security. Because the concept of a password is a sequence of characters known only to the person or persons allowed to use an account, a password should be hard for either someone who knows the person or a stranger to guess. The ispell dictionary on most Linux systems allows easy breaking of weak passwords. So do sites offering lists of words, such as various cracker sites and ftp://ftp.zedz.net/pub/crypto/wordlists/ | Most distributions now offer shadow passwords, kept in the /etc/shadow file only readable by root. This prevents a cracker from copying the world-readable /etc/passwd to his system and running a password-cracking program like John the Ripper[a] and then logging in as root. Most distributions offer shadow passwords and the pwconv and grpconv utilities as standard to convert existing nonshadowed passwords into shadowed ones. Use of shadowed passwords should be considered mandatory. |
[a] John the Ripper can crack DES, double DES, MD5, and other common hashed passwords. Because the crackers have it, you should have it too and see if your passwords can be cracked easily. It is on the CD-ROM (but it is not on the Web site) and it is available at: www.openwall.com/john/
There are alternatives to a keyed password that have some advantages, and they are even more powerful when used in conjunction with keyed passwords. These include smartcards and the like and biometrics. Biometrics are devices that measure a physical attribute, such as the length of your fingers or your fingerprint. Retinal scanners are not yet inexpensive enough for wide use. Some people are fans of one-time passwords. | At one company where I was acting in a consulting capacity, the policy was that a standard password was used for all new employee accounts used for booking customer orders and I discovered that half of the 400 accounts on the system still had this default password. When I, as the SysAdmin, sent these people e-mail asking them to change their passwords and sent follow-up e-mail threatening to disable the account of anyone who did not change his password, I almost got fired for "interfering with the users' work." This policy continued even when massive layoffs started. Fortunately, there were no security violations. Well, at least new accounts that I created each got a different initial password so these accounts were safe. The password suite offers password aging to take care of this problem and others. |
A password should not be a name or other sequence of characters that others would associate with the person. The following is a list of types of easily guessed passwords that should not be used. The name of the account or computer itself (yes, some people do this) The word "password" or some variation (I have seen this recently) References associated with the account or containing the account name itself, e.g., the root, g0d, p0wer, wheel, or similar for the root account Any reference to Star Trek, Star Wars, Dr. Who, or gaming; we all know these Any part of the account holder's name, initials, family or significant other, pet, vehicle type, plane or boat details, hobby or pastime, hero or villain, car tag or license plate, phone number, birthdate, anniversary, postal address, e-mail address, Social Security (government identification) number References to your employer or associates Anything that appears on your Web site Favorite food, beverage, or restaurant, other guessable personal information Your alma mater or references associated with it Sexual interests (someone probably knows them) Beliefs A well-known word or name from science, sports, or politics, e.g., Einstein, Braves, or Gore Commonly known names, places, events, ideas, or phrases Any word or pair of words in the dictionary, include those of foreign languages The same character repeated or obvious sequences, such as abcde, edcba, or qwerty Passwords used in examples, such as secret and xyzzy Any of the above with the "clever" substitution of zero for the letter "o", the digit "1" for the letter "l", "8" for "ate", etc. Crackers do this as a matter of course so they will ferret out your use of these. Any of the above spelled backward or with various letters capitalized
In short, do not use a password that anyone who knows you might know, or which a cracker might be able to guess (e.g., words from science fiction, computer technology, or common foods). | A study done by Helen Petrie of City University in London, England, confirms that most passwords are based on something easily guessable. About 50 percent of them are derived from the name of a family member, significant other, or pet, and 30 percent use an entertainment or sports hero. Words describing fantasies, commonly of a sexual nature, comprise 10 percent. Only 10 percent use a cryptic combination; these are tough to break. This was reported on cnn.com on March 13, 2002. My recommendations on password selection, recommendations that have not needed changing since the first edition of this book, predate this study by two years. |
A password also should pass what I call The Thompson Test. This means that it should not match any of the following password "cracking" algorithms. One to six ASCII characters Seven or eight lowercase letters Any word from a large dictionary such as /usr/lib/ispell/ispell.words /usr/share/dict/linus.words /usr/games/lib/hangman-words or a word spelled backward or with the digit "1" instead of the letter "l", with the digit "0" instead of the letter "o", or with the digit "3" instead of the letter "e."[14] [14] These variations on dictionary words using digits were not part of Ken Thompson's test but are now common guesses in the cracker community. See Password Security: A Case History, by Robert Morris and Ken Thompson, 1986.
Any pair of words from a large dictionary or words spelled backwards.
| I call this The Thompson Test because, for research purposes, Ken Thompson used these algorithms to see how many passwords he could crack. He used the /etc/passwd file from Berkeley's Cory Hall system because it had the most users of any UNIX system at the time. He cracked 996 of the 1000 passwords. Of the four passwords not cracked, root's and mine were included. I received an official request from Ken for my password so he could understand why the algorithms failed. |
Sheesh, this seems to leave KH*&^)g@# and equally impossible-to-remember passwords. Pick two or even three unrelated words, add in at least two nonalphanumeric characters such as punctuation or control characters, and capitalize one or more letters in the words other than the first letter of each word. There is an additional variation used for account passwords in Linux and UNIX, called the salt. This means that whenever a password is created for an account, two random characters, called the salt, are generated and these are added to the password before encryption to add an additional permutation. When the password is stored in either /etc/passwd or /etc/shadow, these two salt characters are prepended to the encrypted password. The reason for the salt is so that even if the same password is used by two users on a system or by the same user on different systems, the encrypted password for each is different. The purpose is to prevent the mass cracking of passwords by crackers. Before the salt technique was added, a cracker would generate the encrypted password for, say, each word in a dictionary and then compare the encrypted password to that of each user's password in /etc/passwd. Thus, if there were 100 accounts, the cracker only had to encrypt that word from the dictionary once. However, because each of those 100 users has different salt, this no longer works. For each user, the cracker must extract the salt from /etc/passwd or /etc/shadow, add that to the dictionary word, encrypt, and compare to that user's encrypted password. Thus, the cracker's required effort is multiplied by the number of accounts, 100 in this example. Some of the following make good passwords. In each case intermix with control characters or punctuation and capitalize other than the first letter, for example: votE\z0rO The first or second letter from each word of an obscure phrase An unusual word from one category such as science fiction and an unusual and unrelated word from another category such as politics. No, phaser >Gore or phaser=Bush is not a good password. The name of your first crush and first computer (if different) A musical group or song if uncommon and your mother's birthdate (your brother's birthdate would not be good because he may know your musical preferences; moms usually do not) An old phone number or street address and a roommate from long ago's last name or peculiarity Ideas obtained from looking around your bookshelf and office for disparate names to combine
The password also should be one that can be memorized so that it does not need to be written down. Passwords should not be written down, especially not on paper stored near the terminal or where someone might know to look for it. They should not be stored on a computer or magnetic or optical media unless in a suitably encrypted form. A password that is used for a high-security application should also not be used as the password for a low-security application nor should it be used in unrelated high-security applications. A high-security application would be where money or very confidential information is handled such as online banking or e-commerce, and confidential government, company, or medical information. A low-security application is where the password might not be kept confidential or might be sniffed, such as registration for an online public use information service, chat room, telnet over unsecured lines, access to a public terminal, etc. The reason is that low-security applications are not to be trusted. Although some might maintain good security, some might not. After all, "it is only a chat room." Thus, you might be giving enough of your high-security password away to someone untrustworthy that you compromise your high-security application. Similarly, unrelated passwords should be used for different high-security applications. | Even though information "at the office" is very confidential, do you want a cracker sniffing the corporate network to find out your banking or Amazon password? Certainly, SSH should be used for TCP sessions going over untrusted networks, such as the Internet, regardless of whether it is a connection into the corporate network or otherwise. See "Protecting User Sessions with SSH" on page 409. |
If left to their own devices many users will pick weak passwords. There are three solutions: Pick the users' passwords for them. They will not like this. Run a password cracker frequently and require users whose passwords get cracked to change them. John the Ripper is highly regarded both by SysAdmins and crackers. If it cannot crack a password, most crackers will not be able to. Its installation and use is discussed in "John the Ripper" on page 599. Check passwords when users try to change them with passwd. One excellent solution is to use cracklib and call it from the passwd program. (This is done by default on RH since at least 6.0.) The cracklib library is a library that knows the algorithms that Crack uses to crack passwords, and tests whether an offered password is vulnerable; it actually does not have the code to crack passwords so it does not present a security risk to have on your system. A PAM-enabled version of passwd, which is standard on Red Hat and other distributions, already has this capability built in. This is discussed in "The Seven Most Deadly Sins" on page 27.
|
