May 5, 2011, 10:34 a.m.
posted by sussel
The Care and Feeding of Passwords
If you are a user, be aware that by picking a bad password—or by revealing your password to an untrustworthy individual—you are potentially compromising your entire computer's security. If you are a system administrator, you should make sure that all of your users are familiar with the issues raised in this section.
1 Bad Passwords: Open Doors
In the movie Real Genius, a computer recluse named Laszlo Hollyfeld breaks into a top-secret military computer over the telephone by guessing passwords. Laszlo starts by typing the password AAAAAA, then trying AAAAAB, then AAAAAC, and so on, until he finally finds the password that matches.
Real-life computer crackers are far more sophisticated. Instead of typing each password by hand, attackers use their computers to open network connections (or make phone calls) then try the passwords, automatically retrying when they are disconnected. Instead of trying every combination of letters, starting with AAAAAA (or whatever), attackers use hit lists of common passwords such as wizard or demo. Even a modest home computer with a good password-guessing program can try many thousands of passwords in less than a day's time. Some hit lists used by crackers are several hundred thousand words in length, and include words in many different languages. Therefore, a password that anybody on the planet might use for a password is probably a bad password choice for you.
What's a popular and bad password? Some examples are your name, your partner's name, or your parents' names. Other bad passwords are these names backwards or followed by a single digit. Short passwords are also bad, because there are fewer of them: they are, therefore, more easily guessed. Especially bad are "magic words" from computer games, such as xyzzy. Magic words look secret and unguessable, but in fact they are widely known. Other bad choices include phone numbers, characters from your favorite movies or books, local landmark names, favorite drinks, or famous computer scientists (see the sidebar Bad Passwords for still more bad choices). These words backwards or capitalized are also weak. Replacing the letter "l" (lowercase "L") with "1" (numeral one), the letter "o" with "0" (numeral zero), or "E" with "3," adding a digit to either end, or other simple modifications of common words are also weak. Words in other languages are no better. Dictionaries for dozens of languages are available for download on the Internet, including Klingon! There are also dictionaries available that consist solely of words frequently chosen as passwords.
Many versions of Unix make a minimal attempt to prevent users from picking bad passwords. For example, under some versions of Unix, if you attempt to pick a password with fewer than six letters or letters that are all the same case, the passwd program will ask the user to "Please pick a different password" followed by some explanation of the local requirements for a password. After three tries, however, some versions of the passwd program relent and let the user pick a short one. Better versions allow the administrator to require a minimum number of letters, a requirement for nonalphabetic characters, and other restrictions. However, some administrators turn these requirements off because users complain about them! Users will likely complain more loudly if their computers are broken into.
2 Smoking Joes
Surprisingly, a significant percentage of all computers that do not explicitly check for bad passwords contain at least one account in which the username and the password are the same or extremely similar. Such accounts are often called "Joes." Joe accounts are easy for crackers to find and trivial to penetrate. Attackers can find an entry point into far too many systems simply by checking every account to see whether it is a Joe account. This is one reason why it is dangerous for your computer to make a list of all of the valid usernames available to the outside world.
3 Good Passwords: Locked Doors
It's easy to pick a good password. Here are some suggestions:
Of course, robot4my, eye-con, Anotfsw, Ttl*Hiww, huroMork, and aUpegcbm are now all bad passwords because they've been printed here.
4 Password Synchronization: Using the Same Password on Many Machines
Password synchronization can increase security if the synchronization allows you to use a good password that is hard to guess. Systems that provide for automated password synchronization make it easy to change your password and have that change reflected everywhere.
On the other hand, password synchronization can decrease security if the password is compromised—suddenly all of your accounts will be vulnerable! Even worse, with password synchronization you may not even know that your password has been compromised!
Password synchronization is also problematic for usernames and passwords that are used for web sites. Many people will use the same username and password at many web sites—even web sites that are potentially being run by untrustworthy individuals or organizations. A simple way to capture usernames and passwords is to set up a web site that offers "a chance of winning $10,000" to anybody who registers with an email address and sets up a password upon entry.
If you are thinking of using the same password on many machines, here are some points to consider:
5 Writing Down Passwords
In the movie War Games, there is the canonical story about a high school student who breaks into his school's academic computer and changes his grades; he does this by walking into the school's office, looking at the academic officer's terminal, and noting that the telephone number, username, and password are written on a Post-It note.
Unfortunately, the fictional story has actually happened—in fact, it has happened hundreds of times over.
Users are admonished to "never write down your password." The reason is simple enough: if you write down your password, somebody else can find it and use it to break into your computer. A password that is memorized is more secure than the same password written down, simply because there is less opportunity for other people to learn it. On the other hand, a password that must be written down to be remembered is quite likely a password that is not going to be guessed easily. If you write your password on something kept in your wallet, the chances of somebody who steals your wallet using the password to break into your computer account are remote indeed.
If you must write down your password, then at least follow a few precautions:
Of course, you can always encrypt your passwords in a handy file on a machine where you remember the password. Many people store their passwords in an encrypted form on a PDA (handheld computer). The only drawback to this approach is when you can't get to your file, or your PDA has gone missing (or its batteries die)—how do you log on to report the problem?
Here are some other things to avoid: