home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 3.5 Verifying Your New Password Chapter 3
Users and Passwords
Next: 3.7 One-Time Passwords
 

3.6 The Care and Feeding of Passwords

Although passwords are the most important element of computer security, users often receive only cursory instructions about selecting them.

If you are a user, be aware that by picking a bad password - or by revealing your password to an untrustworthy individual - you are potentially compromising your entire computer's security. If you are a system administrator, be sure that all of your users are familiar with the issues raised in this section.

3.6.1 Bad Passwords: Open Doors

A bad password is any password that is easily guessed.

In the movie Real Genius, a computer recluse named Laszlo Hollyfeld breaks into a top-secret military computer over the telephone by guessing passwords. Laszlo starts by typing the password AAAAAA , then trying AAAAAB , then AAAAAC , and so on, until he finally finds the password that matches.

Real-life computer crackers are far more sophisticated. Instead of typing each password by hand, crackers use their computers to make phone calls (or opening network connections) and try the passwords, automatically retrying when they are disconnected. Instead of trying every combination of letters, starting with AAAAAA (or whatever), crackers use hit lists of common passwords such as wizard or demo . Even a modest home computer with a good password guessing program can try thousands of passwords in less than a day's time. Some hit lists used by crackers are several hundred thousand words in length.[8] Therefore, a password that anybody else might use for his own password is probably a bad choice for you.

[8] In contrast, if you were to program a home computer to try all 6-letter combinations from AAAAAA to ZZZZZZ , it would have to try 308,915,776 different passwords. Guessing one password per second, that would require nearly ten years.

What's a popular and bad password? Some examples are your name, your partner's name, or your parents' names. Other bad passwords are these names backwards or followed by a single digit. Short passwords are also bad, because there are fewer of them: they are, therefore, more easily guessed. Especially bad are "magic words" from computer games, such as xyzzy . They look secret and unguessable, but in fact are widely known. Other bad choices include phone numbers, characters from your favorite movies or books, local landmark names, favorite drinks, or famous computer scientists (see the sidebar later in this chapter for still more bad choices). These words backwards or capitalized are also weak. Replacing the letter "l" (lowercase "L") with "1" (numeral one), or "E" with "3," adding a digit to either end, or other simple modifications of common words are also weak. Words in other languages are no better. Dictionaries for dozens of languages are available for download on the Internet and dozens of bulletin board systems.

Many versions of UNIX make a minimal attempt to prevent users from picking bad passwords. For example, under some versions of UNIX , if you attempt to pick a password with fewer than six letters that are all of the same case, the passwd program will ask the user to "Please use a longer password." After three tries, however, the program relents and lets the user pick a short one. Better versions allow the administrator to require a minimum number of letters, a requirement for nonalphabetic characters, and other restrictions. However, some administrators turn these requirements off because users complain about them; this is a bad idea. Users will complain more loudly if their computers are broken into.

3.6.2 Smoking Joes

Surprisingly, experts believe that a significant percentage of all computers without password content controls contain at least one account where the username and the password are the same. Such accounts are often called "Joes." Joe accounts are easy for crackers to find and trivial to penetrate. Most computer crackers can find an entry point into almost any system simply by checking every account to see whether it is a Joe account. This is one reason why it is dangerous for your computer to make a list of all of the valid usernames available to the outside world.

3.6.3 Good Passwords: Locked Doors

Good passwords are passwords that are difficult to guess. The best passwords are difficult to guess because they:

  • Have both uppercase and lowercase letters.

  • Have digits and/or punctuation characters as well as letters.

  • May include some control characters and/or spaces.

  • Are easy to remember, so they do not have to be written down.

  • Are seven or eight characters long.

Can be typed quickly, so somebody cannot determine what you type by watching over your shoulder.

It's easy to pick a good password. Here are some suggestions:

  • Take two short words and combine them with a special character or a number, like robot4my or eye-con .

  • Put together an acronym that's special to you, like Notfsw (None Of This Fancy Stuff Works), auPEGC (All UNIX programmers eat green cheese), or Ttl*Hiww (Twinkle, twinkle, little star. How I wonder what...).

Of course, robot4my , eye-con , Notfsw , Ttl*Hiww and auPEGC are now all bad passwords because they've been printed here.

3.6.4 Passwords on Multiple Machines

If you have several computer accounts, you may wish to have the same password on every machine, so you have less you need to remember. However, if you have the same password on many machines and one of those machines is compromised, all of your accounts are compromised. One common approach used by people with accounts on many machines is to have a base password that can be modified for each different machine. For example, your base password might be kxyzzy followed by the first letter of the name of the computer you're using. On a computer named athena your password would be kxyzzya , while on a computer named ems your password would be kxyzzye . (Don't, of course, use exactly this method of varying your passwords.)

3.6.5 Writing Down Passwords

There is a tired story about a high school student who broke into his school's academic computer and changed his grades; he did this by walking into the school's office, looking at the academic officer's terminal, and writing down the telephone number, username, and password that were printed on a Post-It note.

Unfortunately, the story is true - hundreds of times over.

Users are admonished to "never write down your password." The reason is simple enough: if you write down your password, somebody else can find it and use it to break into your computer. A password that is memorized is more secure than the same password written down, simply because there is less opportunity for other people to learn it. On the other hand, a password that must be written down to be remembered is quite likely a password that is not going to be guessed easily. If you write your password on something kept in your wallet, the chances of somebody who steals your wallet using the password to break into your computer account are remote indeed.[10]

[10] Unless, of course, you happen to be an important person, and your wallet is stolen or rifled as part of an elaborate plot. In their book Cyberpunks , authors John Markoff and Katie Hafner describe a woman called "Susan Thunder" who broke into military computers by doing just that: she would pick up officers at bars and go home with them. Later that night, while the officer was sleeping, Thunder would get up, go through the man's wallet, and look for telephone numbers, usernames, and passwords.

If you must write down your password, then at least follow a few precautions:

  • When you write it down, don't identify your password as being a password.

  • Don't include the name of the account, network name, or the phone number of the computer on the same piece of paper as your password.

  • Don't attach the password to your terminal, keyboard, or any part of your computer.

  • Don't write your actual password. Instead, disguise it, by mixing in other characters or by scrambling the written version of the password in a way that you can remember. For example, if your password is "Iluvfred", you might write "fredIluv" or "vfredxyIu" or perhaps "Last week, I lost Uncle Vernon's `fried rice & eggplant delight' recipe - remember to call him after 3 p.m." - to throw off a potential wallet-snatcher.[11]

    [11] We hope that last one required some thought. The 3 p.m. means to start with the third word and take the first letter of every word. With some thought, you can come up with something equally obscure that you will remember.

Here are some other things to avoid:

  • Don't record a password online (in a file, in a database, or in an email message), unless the password is encrypted.

  • Likewise, never send a password to another user via electronic mail . In The Cuckoo's Egg, Cliff Stoll tells of how a single intruder broke into system after system by searching for the word "password" in text files and electronic mail messages. With this simple trick, the intruder learned of the passwords of many accounts on many different computers across the country.

  • Don't use your login password as the password of application programs. For instance, don't use your login password as your password to an on-line MUD (multi-user dungeon) game or for a World Wide Web server account. The passwords in those applications are controlled by others and may be visible to the wrong people.

  • Don't use the same password for different computers managed by different organizations. If you do, and an attacker learns the password for one of your accounts, all will be compromised.

This last "don't" is very difficult to follow in practice.


Previous: 3.5 Verifying Your New Password Practical UNIX & Internet Security Next: 3.7 One-Time Passwords
3.5 Verifying Your New Password Book Index 3.7 One-Time Passwords