Password Tutorial


General

On computer systems where multiple users share disk space and system resources, each user is given a computer account. How does the system know who is authorized to access and use this account? The user enters a password. If the user enters the correct password, access is granted. When you first get your account, some computer systems assign a password to you and you can't change it, but on the vast majority of systems, including the UNIX workstations in the Naval Postgraduate School's Air/Ocean curriculum, it is up to the user to select a password for his or her account. Selecting a strong password is the single most important thing you can do to protect your information from unauthorized access.

Why should I worry about picking a strong password, I trust the people on my computer system.

Maybe you know all the people who have accounts on your system and you trust them. But consider this, if your computer system is connected to the internet, and almost all are today, anyone in the world who can connect to the internet can attempt to access your account by guessing your password. All that is needed is your account name or id, and this information isn't difficult to obtain on many computer systems.

On computers running the UNIX operating system, the user names and passwords of all users on the machine are kept in a file on the system disk. Many UNIX based computers allow any user on the system to look at the contents of the password file and make a copy of it. Fortunately, the passwords in the file have been encrypted into ciphertext, but the algorithm used to encrypt the passwords is publicly known and is the same on every UNIX based machine. The encryption algorithm is almost impossible to reverse, or decrypt - that is you can't take the encrypted password, pass it through an algorithm and come up with the original password in plaintext. However you can pass a plaintext password guess through this publicly know encryption algorithm and then compare the ciphertext result with all the entries in the password file for a match. This is what many crackers try to do on UNIX machines. They get a copy of the password file, and automate the guessing process by using a program that runs a list of common passwords through the encryption routine, and compares the encrypted results to the encrypted passwords in the stolen password file for matches.

A cracker that is able to determine your password will have access to everything in your account. The cracker can not only read any personal or confidential files in your account, but also modify or delete the files. Once an expert cracker breaks into a single user account, many times they can exploit security holes in the operating system (especially on systems that aren't running the current version of the operating system) and break into the special account on the system that gives the cracker access to all accounts on the system. This special account is known by many different names on different systems: root, super user, supervisor, manager. But the end result is the same, the cracker has used a common weakness; poor password selection by an ordinary user, to become GOD on that computer system.


How to choose a bad password

Daniel Klein conducted research on password vulnerablilty on UNIX based machines by collecting password files sent to him by system administrators. He tried to crack the passwords using the encryption of likely passwords method described above. He ran his password cracking program on roughly 15,000 passwords. Here is an excerpt from his results:

... 21% (nearly 3,000 passwords) were guessed in the first week, and that in the first 15 minutes of testing, 368 passwords (or 2.7%) had been cracked using what experience has shown would be the most fruitful line of attack (i.e., using the user or account names as passwords).

If you don't care about the information in your account, or anyone else on the system for that matter, here are a few tips to make it easier for crackers to guess your password.

A cracker doesn't want to do an exhaustive search of all possible passwords, it is much easier and faster to try your user name or id first, then common passwords or some personal information he/she has learned about you. Remember a cracker only needs to break into one account on a system, then they can attempt to attack the supervisor account, and compromise the whole system.


How to choose a strong password

Do's

Don't s


For More Information

* Download a copy (in Postscript format) of Daniel Klein's paper mentioned above titled Foiling the Cracker: A Survey of, and Improvements to, Password Security

* CalPoly's guide to password security on UNIX based computers.

* The FIRST Security Papers are a collection of papers on various security issues, including cryptography and password security.

* Mike Cook's glossary of security terms and links to general security information.


OC2020 Main Page

Comments to Mike Cook
Last Modified: 15 Feb 01