Password Tutorial

General

On computer systems where multiple users share disk space and system resources, each user is given a computer account. How does the system know who is authorized to access and use this account? The user enters a password. If the user enters the correct password, access is granted. When you first get your account, some computer systems assign a password to you and you can't change it, but on the vast majority of systems, including the UNIX workstations in the Naval Postgraduate School's Air/Ocean curriculum, it is up to the user to select a password for his or her account. Selecting a strong password is the single most important thing you can do to protect your information from unauthorized access.

Why should I worry about picking a strong password, I trust the people on my computer system.

Maybe you know all the people who have accounts on your system and you trust them. But consider this, if your computer system is connected to the internet, and almost all are today, anyone in the world who can connect to the internet can attempt to access your account by guessing your password. All that is needed is your account name or id, and this information isn't difficult to obtain on many computer systems.

On computers running the UNIX operating system, the user names and passwords of all users on the machine are kept in a file on the system disk. Many UNIX based computers allow any user on the system to look at the contents of the password file and make a copy of it. Fortunately, the passwords in the file have been encrypted into ciphertext, but the algorithm used to encrypt the passwords is publicly known and is the same on every UNIX based machine. The encryption algorithm is almost impossible to reverse, or decrypt - that is you can't take the encrypted password, pass it through an algorithm and come up with the original password in plaintext. However you can pass a plaintext password guess through this publicly know encryption algorithm and then compare the ciphertext result with all the entries in the password file for a match. This is what many crackers try to do on UNIX machines. They get a copy of the password file, and automate the guessing process by using a program that runs a list of common passwords through the encryption routine, and compares the encrypted results to the encrypted passwords in the stolen password file for matches.

A cracker that is able to determine your password will have access to everything in your account. The cracker can not only read any personal or confidential files in your account, but also modify or delete the files. Once an expert cracker breaks into a single user account, many times they can exploit security holes in the operating system (especially on systems that aren't running the current version of the operating system) and break into the special account on the system that gives the cracker access to all accounts on the system. This special account is known by many different names on different systems: root, super user, supervisor, manager. But the end result is the same, the cracker has used a common weakness; poor password selection by an ordinary user, to become GOD on that computer system.

How to choose a bad password

Daniel Klein conducted research on password vulnerablilty on UNIX based machines by collecting password files sent to him by system administrators. He tried to crack the passwords using the encryption of likely passwords method described above. He ran his password cracking program on roughly 15,000 passwords. Here is an excerpt from his results:

... 21% (nearly 3,000 passwords) were guessed in the first week, and that in the first 15 minutes of testing, 368 passwords (or 2.7%) had been cracked using what experience has shown would be the most fruitful line of attack (i.e., using the user or account names as passwords).

If you don't care about the information in your account, or anyone else on the system for that matter, here are a few tips to make it easier for crackers to guess your password.

You can make a crackers day by using your account name or id as your password. This requires no effort at all on their part. You could rearrainge the letters, like using your account name spelled backwards. A cracker will try every variation possible on your account name or id because as described above, about 3% of all users choose their account name, or a permutation of it as their password. Also picking a password that is 3 characters or less is good. Even a brute force, or systematic attack on 3 characters or less will take only a few CPU minutes to perform.
Use some personal information about yourself. A password that is your nickname, your last name, your first and last names put together is very easy to guess. To make it just slightly harder, try the name of your wife/husband, pet, girlfriend/boyfriend, child ... you get the picture. You can make it alittle tougher by spelling the name backwards, or some other variation, but these are very standard tricks.
Personal information that has numbers isn't any better. Try your phone number, social security number, student ID number, address, license plate number...
Why not use words from science fiction or fantasy realm, mythology, movies, famous people, profanities or obscene words . These are common passwords that a good cracking program will try if you want to make the cracker work alittle.

A cracker doesn't want to do an exhaustive search of all possible passwords, it is much easier and faster to try your user name or id first, then common passwords or some personal information he/she has learned about you. Remember a cracker only needs to break into one account on a system, then they can attempt to attack the supervisor account, and compromise the whole system.

How to choose a strong password

Do's

uSE BoTh UppEr and loWEr Case Characters, digits, punctuation, and !@#$%^&* characters (and not just as the last character of you password only) if your computer system allows it. The more complex and random the password is, the harder it is to crack.
You should try to choose a password that uses the maximum number of characters allowed. On UNIX systems, the maximum password length is 8 characters. As a minimum your password should be 6 characters. On machines that allow upper and lower case, digits, etc. as listed in the above point, a brute force, or exhaustive attack of all possible 5 character passwords at a rate of 1000 password guesses per second will take 90 CPU days. Increasing the password to 6 characters, the same brute force attack will take 23 CPU years. Use the maximum 8 characters, it will take 210000 CPU years.
Change your password regularly. As mentioned in the previous point, a determined cracker can eventually guess a password with a brute force attack. If the password is strong and 7 or 8 characters, it is relatively "safe." But changing it every 6 months or every year is wise.
Some of the best passwords are acronyms that are special to you. For example, if you have a daughter named Mary who is 11 years old, a sentence you might easily remember might be: My daughter Mary is 4 + 7 !, which would create the acronym password MdMi4+7!. Another might be: Three blind mice, See how they run, which would create 3bm,Shtr. These create passwords that are essentially random but easy for you to remember.
Be wary of people hanging over your shoulder when you type your password. If you suspect someone of trying to get your password by watching you type it in, report them to the computer center or system administrator, and change your password immediately.

Don't s

Don't use a word in the English dictionary or a minor variation on that word. Good password cracking programs check the whole dictionary. As computer CPU's get faster, more words can be checked in the same amount of time. Many cracker programs now check not only the English dictionary, but several foreign ones too. Some cracker programs also check all the dictionary words with a 1 appended, replace all s's with $'s, reverse the word's spelling, or capitalize the first letter of the word.
Never tell your password to anyone. On UNIX based systems, even the system administrator never, ever needs to know your password under any circumstance. If you ever get E-mail from someone, even if they say they are the system administrator, asking for your password for any reason, report it to the system administrator or computer center. This is a ploy crackers use to get passwords.
Never write your password down. If you choose your own password you should pick something that you can remember. If a password is assigned to you, this may be tougher, but try. Never send your password through E-mail, it isn't as secure as you might think.
Don't use simple patterns of adjacent letters on the keyboard. On the surface qwerty or asdfgh may seem random, but crackers check many of these patterns as standard practice.

For More Information

Download a copy (in Postscript format) of Daniel Klein's paper mentioned above titled Foiling the Cracker: A Survey of, and Improvements to, Password Security
CalPoly's guide to password security on UNIX based computers.
The FIRST Security Papers are a collection of papers on various security issues, including cryptography and password security.
Mike Cook's glossary of security terms and links to general security information. OC2020 Main Page Comments to Mike Cook Last Modified: 15 Feb 01