# Chapter 5. Picking Locks: Password Attacks

IN THIS CHAPTER

• Improving Password Security, and Alternatives to the Standard Password Mechanisms in Mac OS X

Passwords ”what an idea. Using a small word as a shared secret to identify the bearer. In the security world, one often hears of identifying oneself by either what you have, what you know, or what you are. A password is an attempt to prove identification through proving what you know, and passwords have been a standard at the gates to castles , the doors to clubs, and the prompts of computers for years . Unix passwords can be a bit more complex than spoken passwords, but the standard scheme limits them to 8 characters in length. When extended to upper and lower case, nonsense words and special characters, there are 6,634,204,312,890,625 passwords enterable from a Pismo PowerBook keyboard available for use in the standard Unix authentication scheme (that is, 95 possible keyboard characters in each of 8 positions ”95x95x95x95x95x95x95x95 = 6,634,204,312,890,625 possible passwords).

To make matters worse , people don't naturally make use of anything resembling the entire password space. A statistician might express the randomness available in that 6.6 million billion possible password choices as saying that a password chosen from the space has approximately 53 bits of entropy . That is, 2 raised to the power 52.558844 6,634,204,312,890,625.

Using entropy in this fashion is a way of expressing the actual randomness in what is intended to be a random string. For example, if you know that your users have chosen passwords that are eight characters long, you might suppose that they've randomly chosen amongst the full 6.6 million billion possible passwords in the password space. If, in fact, your users have chosen passwords composed of only lowercase a and b characters, they would still be chosen from the full password space, but only out of a 256-member subset. In this case we would say that the users' passwords display 8 bits of entropy ( 2^8 = 256 ).

Even people trying to be random don't produce particularly random results. Several studies have determined that strings of characters "randomly" chosen by people, aren't actually all that random, and the variability in each position does not approach the ~6.6 bits of available entropy. This most likely has to do with the unconscious associations we form with respect to letter patterns and usage in written language, and manifests itself in "randomly" chosen strings displaying significant word-like structure when constructed by a person.

This chapter covers the flaws in the basic notion of password protection for services, files, and other resources, as well as what you can do to limit your vulnerability when picking passwords. Not all password schemes will necessarily conform to the exact encryption or storage standards we'll cover here, but they're all subject to the same basic conceptual flaws.

 Top

Maximum Mac OS X Security
ISBN: 0672323818
EAN: 2147483647
Year: 2003
Pages: 158