Authentication Management

I l @ ve RuBoard

Authentication management is a combination of user education and appropriate use of technology. Users have to understand the importance of protecting their identifier and password and how to select good passwords. Technological solutions need to be implemented to help the user select good passwords and to be able to apply the appropriate level of security to the resources as needed.

Password Selection

The selection of passwords is still paramount to system security. A good password is a password that is not cracked by a password cracking method and is easy to remember.

Password management is primarily a user issue. Education of users is paramount in the maintenance of password security. This education should include how to set passwords, how to select good passwords, and the importance of passwords. Users must understand that poor passwords jeopardize their work, as well as the work of everyone else who uses the system.

System managers should be vigilant about passwords. Password cracking is the most effective method of gaining privileges in a system. You can run password crackers against your system, but this takes a lot of computing resources and requires that there be a copy of the cracking software and a customized dictionary on the system that could fall into the wrong hands. It has been suggested that these dictionaries can be preencrypted and stored on tape, so you do not have to run the password cracking software. You only have to match the encrypted passwords to encrypted words from the tape. This would utilize less processing time but require more time for the tape processing.

It may be better to take the proactive choice of installing a package that evaluates the quality of a password when the password is entered. This does not require the computational resources, because the password is captured as plain text and can be rapidly evaluated. There are a number of tools to choose from including Password+ and npasswd. The tool you select should be flexible enough to allow you to customize your environment with the inclusion of special dictionaries that have words and phrases specific to your industry, or to your company, or to your employees .

Password cracking, the difficulty users have in selecting good passwords, and the widespread proliferation of network snooping that will compromise even good passwords, have made reusable passwords of limited value locally and a major security issue over an untrusted network. That is why reusable passwords are falling into disfavor and so much effort is being put into onetime passwords.

A study done in 1989 by Dan Klein at Carnegie-Mellon University used these methods to attempt to crack a list of 13,797 actual passwords from a variety of sources. The total dictionary utilized was comprised of 62,727 words. This process guessed 3,340 passwords.

Table 10-1. Sources of Passwords ^[55]

Source of Password	Search Size	Number of Matches	Percent of Total
User/account names	130	368	2.70%
Character sequences	866	22	0.20%
Numbers	427	9	0.10%
Chinese	392	56	0.40%
Place names	628	82	0.60%
Common names	2239	548	4.00%
Female names	4280	161	1.20%
Male names	2866	140	1.00%
Uncommon names	4955	130	0.90%
Myths and legends	1246	66	0.50%
Shakespearean	473	11	0.10%
Sports terms	238	32	0.20%
Science fiction	691	59	0.40%
Movies and actors	99	12	0.10%
Cartoons	92	9	0.10%
Famous people	290	55	0.40%
Phrases and patterns	933	253	1.80%
Surnames	33	9	0.10%
Biology	58	1	0.00%
Unix dictionary	19683	1027	7.40%
Machine names	9018	132	1.00%
Mnemonics	14	2	0.00%
King James Bible	7525	83	0.60%
Miscellaneous words	3212	54	0.40%
Yiddish words	56		0.00%
Asteroids	2407	19	0.10%
TOTAL	62851	3340	24.30%

^[55] Klein, Dan, "Foiling the Cracker: A Survey of, and Improvements to, Password Security," 1989.

Table 10-1 contains the information revealed by the study about the source of passwords selected by users.

I l @ ve RuBoard

Password Selection

Table 10-1. Sources of Passwords [55]

Table 10-1. Sources of Passwords ^[55]