On computer systems where multiple users share disk space and system resources,
each user is given a computer account. How does the system know who is authorized
to access and use this account? The user enters a
If the user enters the correct password, access is granted. When you first get your
account, some computer systems assign a password to you and you can't change it, but on
the vast majority of systems, including the UNIX workstations in the Naval Postgraduate
School's Air/Ocean curriculum, it is up to the user to select a password for his or her
Selecting a strong password is the single most important thing you can do to protect
your information from unauthorized access.
Why should I worry about picking a strong password, I trust the people on my
Maybe you know all the people who have accounts on your system and you trust them.
But consider this, if your computer system is connected to the internet, and almost
all are today, anyone in the world who can connect to the internet
can attempt to access your account by guessing your password. All that is needed
is your account name or id, and this information isn't difficult to obtain on many
On computers running the UNIX operating system, the user names and passwords of
all users on the machine are kept in a file on the system disk. Many UNIX based
computers allow any user on the system to look at the contents of the password file and make a
copy of it. Fortunately, the passwords in the file have been
the algorithm used to encrypt the passwords is publicly known and is the same on every
UNIX based machine. The encryption algorithm is almost impossible to reverse, or
- that is you can't take the
encrypted password, pass it through an algorithm and come up with the original password in
However you can pass a plaintext password guess through
this publicly know encryption
algorithm and then compare the ciphertext result with all the entries in the
password file for a match. This is what many
try to do on
UNIX machines. They get a copy of the password file, and automate the guessing process by
using a program that runs a list of common passwords through the encryption routine, and
compares the encrypted results to the encrypted passwords in the stolen password
file for matches.
A cracker that is able to determine your password will have access to
everything in your account. The cracker can not only read any
personal or confidential files in your account, but also modify
or delete the files. Once an expert cracker breaks into a single
user account, many times they can exploit security holes in the operating system
(especially on systems that aren't running the current version of the operating system)
into the special account on the system that gives the cracker access to
all accounts on the system. This special account is known by
many different names on different systems: root, super user, supervisor, manager.
But the end result is the same, the cracker has used a common weakness; poor
password selection by an ordinary user, to become GOD on that computer system.
How to choose a bad password
Daniel Klein conducted research on password vulnerablilty on UNIX based machines
by collecting password files sent to him by system administrators. He tried to
crack the passwords using the encryption of likely passwords method described
above. He ran his password cracking program on roughly 15,000 passwords. Here is an
excerpt from his results:
... 21% (nearly 3,000 passwords) were guessed in the first week,
and that in the first 15 minutes of testing, 368 passwords (or 2.7%) had been
cracked using what experience has shown would be the most fruitful line of attack
(i.e., using the user or account names as passwords).
If you don't care about the information in your account, or anyone else on the
system for that matter, here are a few tips to make it easier for crackers to
guess your password.
A cracker doesn't want to do an exhaustive search of all possible passwords, it is
much easier and faster to try your user name or id first, then common passwords or
some personal information he/she has learned about you. Remember a cracker only
needs to break into one account on a system, then they can attempt to attack the
supervisor account, and compromise the whole system.
- You can make a crackers day by using your account name or id as your
password. This requires no effort at all on their part. You could rearrainge
the letters, like using your account name spelled backwards. A cracker will
try every variation possible on your account name or id because as described
above, about 3% of all users choose their account name, or a permutation of it
as their password.
Also picking a password that is 3 characters or less is good. Even a brute
force, or systematic attack on 3 characters or less will take only a few CPU
minutes to perform.
- Use some personal information about yourself. A password that is your
nickname, your last name, your first and last names put together is very easy
to guess. To make it just slightly harder, try the name of your wife/husband,
pet, girlfriend/boyfriend, child ... you get the picture. You can make it alittle
tougher by spelling the name backwards, or some other variation, but these are very
- Personal information that has numbers isn't any better. Try your phone
number, social security number, student ID number, address, license plate
- Why not use words from science fiction or fantasy realm, mythology, movies,
famous people, profanities or obscene words . These are common passwords that a
good cracking program will try if you want to make the cracker work alittle.
How to choose a strong password
- uSE BoTh UppEr and loWEr Case Characters, digits, punctuation, and !@#$%^&*
characters (and not just as the last character of you password only) if your
computer system allows it. The more complex and random the password is, the harder
it is to crack.
- You should try to choose a password that uses the maximum number of characters
allowed. On UNIX systems, the maximum password length is 8 characters. As a
minimum your password should be 6 characters. On machines that allow upper and
lower case, digits, etc. as listed in the above point, a brute force, or exhaustive
attack of all possible 5 character passwords at a rate of 1000 password guesses
per second will take 90 CPU days. Increasing the password to 6 characters, the
same brute force attack will take 23 CPU years. Use the maximum 8
characters, it will take 210000 CPU years.
- Change your password regularly. As mentioned in the previous point, a
determined cracker can eventually guess a password with a brute force attack.
If the password is strong and 7 or 8 characters, it is relatively "safe." But
changing it every 6 months or every year is wise.
- Some of the best passwords are acronyms that are special to you.
For example, if you have a daughter named Mary who is 11 years old, a sentence
you might easily remember might be:
My daughter Mary is 4 + 7 !, which would create the acronym
password MdMi4+7!. Another might be:
Three blind mice, See how they run,
which would create 3bm,Shtr. These create passwords that are essentially
random but easy for you to remember.
- Be wary of people hanging over your shoulder when you type your password. If
you suspect someone of trying to get your password by watching you type it in,
report them to the computer center or system administrator, and change your
- Don't use a word in the English dictionary or a minor variation on that word.
Good password cracking programs
check the whole dictionary. As computer CPU's get faster, more words can be checked
in the same amount of time. Many cracker programs now check not only the English
dictionary, but several foreign ones too. Some cracker programs also check all
the dictionary words with a 1 appended, replace all s's with $'s, reverse the word's
spelling, or capitalize the first letter of the word.
- Never tell your password to anyone. On UNIX based systems, even the system
administrator never, ever needs to know your password under any
circumstance. If you ever get E-mail from someone, even if they say they are the
system administrator, asking for your password for any reason,
report it to the system administrator or computer center. This is a ploy crackers
use to get passwords.
- Never write your password down. If you choose your own password you should
pick something that you can remember. If a password is assigned to you, this may
be tougher, but try. Never send your password through E-mail, it isn't as secure
as you might think.
- Don't use simple patterns of adjacent letters on the keyboard. On the surface
qwerty or asdfgh may seem random, but crackers check many of these patterns as
For More Information
Download a copy (in Postscript format) of Daniel Klein's paper mentioned above
Foiling the Cracker: A Survey of, and Improvements to, Password Security
CalPoly's guide to password
security on UNIX based computers.
The FIRST Security Papers
are a collection of papers on various security issues, including cryptography
and password security.
glossary of security terms and links to general security information.
Comments to Mike Cook
Last Modified: 15 Feb 01