Password Selection Criteria
At the RSA Security
Conference in 2006, Bill Gates, head of Microsoft, described his vision of a
world in which passwords would be obsolete, having gone the way of the
dinosaur. In their place sophisticated multifactor authentication technologies
would offer far greater security than passwords ever could. But that is Bill
Gates' view of the future; despite decades of articles about their weakness,
passwords are with us still and will be for some time.
So what can we conclude about
passwords? They should be hard to guess and difficult to determine
exhaustively. But the degree of difficulty should be appropriate to the security
needs of the situation. To these ends, we present several guidelines for
password selection:
Use characters other than
just AZ. If passwords are chosen from the letters AZ, there are only 26
possibilities for each character. Adding digits expands the number of
possibilities to 36. Using both uppercase and lowercase letters plus digits
expands the number of possible characters to 62. Although this change seems
small, the effect is large when someone is testing a full space of all possible
combinations of characters. It takes about 100 hours to test all 6-letter words
chosen from letters of one case only, but it takes about 2 years to test all
6-symbol passwords from upper- and lowercase letters and digits. Although 100
hours is reasonable, 2 years is oppressive enough to make this attack far less
attractive.
Choose long passwords. The combinatorial
explosion of passwords begins at length 4 or 5. Choosing longer passwords makes
it less likely that a password will be uncovered. Remember that a brute force
penetration can stop as soon as the password is found. Some penetrators will
try the easy casesknown words and short passwordsand move on to another target
if those attacks fail.
Avoid actual names or words. Theoretically,
there are 266 or about 300 million 6-letter "words", but
there are only about 150,000 words in a good collegiate dictionary, ignoring
length. By picking one of the 99.95 percent nonwords, you force the attacker to
use a longer brute force search instead of the abbreviated dictionary search.
Choose an unlikely password. Password choice is
a double bind. To remember the password easily, you want one that has special
meaning to you. However, you don't want someone else to be able to guess this
special meaning. One easy-to-remember password is 2Brn2B. That unlikely looking
jumble is a simple transformation of "to be or not to be." The first
letters of words from a song, a few letters from different words of a private
phrase, or a memorable basketball score are examples of reasonable passwords.
But don't be too obvious. Password-cracking tools also test replacements of 0
(zero) for o or O (letter "oh") and 1 (one) for l (letter
"ell") or $ for S (letter "ess"). So I10veu is already in
the search file.
Change the password regularly. Even if there is
no reason to suspect that the password has been compromised, change is advised.
A penetrator may break a password system by obtaining an old list or working
exhaustively on an encrypted list.
Don't write it down. (Note: This time-honored
advice is relevant only if physical security is a serious risk. People who have
accounts on many different machines and servers, not to mention bank and charge
card PINs, may have trouble remembering all the access codes. Setting all codes
the same or using insecure but easy-to-remember passwords may be more risky
than writing passwords on a reasonably well protected list.)
Don't tell anyone else. The easiest attack is social engineering, in which the
attacker contacts the system's administrator or a user to elicit the password
in some way. For example, the attacker may phone a user, claim to be
"system administration," and ask the user to verify the user's
password. Under no circumstances should you ever give out your private
password; legitimate administrators can circumvent your password if need be,
and others are merely trying to deceive you.
To help users select good passwords, some systems provide
meaningless but pronounceable passwords. For example, the VAX VMS system
randomly generates five passwords from which the user chooses one. They are
pronounceable, so that the user should be able to repeat and memorize them.
However, the user may misremember a password because of having interchanged
syllables or letters of a meaningless string. (The sound "bliptab" is
no more easily misremembered than "blaptib" or "blabtip.")
Yan et al. [YAN04]
did experiments to determine whether users could remember passwords or
passphrases better. First, they found that users are poor at remembering random
passwords. And instructions to users about the importance of selecting good
passwords had little effect. But when they asked users to select their own
password based on some mnemonic phrase they chose themselves, the users
selected passwords that were harder to guess than regular (not based on a
phrase) passwords.
Other systems encourage users to change their
passwords regularly. The regularity of password change is usually a system
parameter, which can be changed for the characteristics of a given
installation. Suppose the frequency is set at 30 days. Some systems begin to
warn the user after 25 days that the password is about to expire. Others wait
until 30 days and inform the user that the password has expired. Some systems
nag without end, whereas other systems cut off a user's access if a password
has expired. Still others force the user immediately into the password change
utility on the first login after 30 days.
Grampp and Morris [GRA84a]
argue that this reminder process is not necessarily good. Choosing passwords is
not difficult, but under pressure a user may adopt any password, just to
satisfy the system's demand for a new one. Furthermore, if this is the only
time a password can be changed, a bad password choice cannot be changed until
the next scheduled time.
Sometimes when systems force users to change
passwords periodically, users with favorite passwords will alternate between
two passwords each time a change is required. To prevent password reuse,
Microsoft Windows 2000 systems refuse to accept any of the k most recently used
passwords. One user of such a system went through 24 password changes each
month, just to cycle back to the favorite password.
One-Time Passwords
A one-time password is one that changes every time it is used.
Instead of assigning a static phrase to a user, the system assigns a static
mathematical function. The system provides an argument to the function, and the
user computes and returns the function value. Such systems are also called challengeresponse systems because the
system presents a challenge to the user and judges the authenticity of the user
by the user's response. Here are some simple examples of one-time password
functions; these functions are overly simplified to make the explanation
easier. Very complex functions can be used in place of these simple ones for
host authentication in a network.
f(x) = x + 1. With this function, the system
prompts with a value for x, and the user enters the value x + 1. The kinds of
mathematical functions used are limited only by the ability of the user to
compute the response quickly and easily. Other similar possibilities are f(x) =
3x2 - 9x + 2, f(x) = px, where px is the xth
prime number, or f(x) = d * h, where d is the date and h is the hour of the
current time. (Alas, many users cannot perform simple arithmetic in their
heads.)
f(x) = r(x). For this function, the receiver
uses the argument as the seed for a random number generator (available to both
the receiver and host). The user replies with the value of the first random
number generated. A variant of this scheme uses x as a number of random numbers
to generate. The receiver generates x random numbers and sends the xth of these
to the host.
f(a1a2a3a4a5a6)
= a3a1a1a4. With this function, the
system provides a character string, which the user must transform in some
predetermined manner. Again, many different character operations can be used.
f(E(x)) = E(D(E(x)) + 1). In this function, the
computer sends an encrypted value, E(x). The user must decrypt the value,
perform some mathematical function, and encrypt the result to return it to the
system. Clearly, for human use, the encryption function must be something that
can be done easily by hand, unlike the strong encryption algorithms in Chapter 2. For machine-to-machine authentication,
however, an encryption algorithm such as DES or AES is appropriate.
One-time passwords are very important for
authentication because (as becomes clear in Chapter
7 ) an intercepted password is useless because it cannot be reused.
However, their usefulness is limited by the complexity of algorithms people can
be expected to remember. A password-generating device can implement more
complex functions. Several models are readily available at reasonable prices.
They are very effective at countering the threat of transmitting passwords in
plaintext across a network. (See Sidebar 4-4
for another dilemma in remote authentication.)
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.