For network intruders, that's a gold mine. Bad passwords don't necessarily make it easier to break in to a company's network, but for hackers able to gain access to a corporate computer by other means, they're a treasure trove. Passwords discovered on one server will frequently open the way to other servers, and with the digital keys to a large fraction of the accounts on the network, an intruder can wander about with impunity and with the appearance of being a legitimate user. That's why network attackers grab passwords as soon as they can. Some viruses and worms send an infected computer's password file back to the creator. This week, a worm known as DoubleTap is doing just that, squirming its way in to computers with Microsoft's SQL Server 7.0 installed. The 1i0n worm, which spread among Linux servers in early 2001, grabbed password files, and the SirCam virus, in some cases, could send off the systems passwords as well. Even the most paranoid security group and high-tech digital fences can't do much if the chief executive secures his critical files with "god123." Worse, most companies and organisations still rely on a password -- and nothing else -- to authenticate their employees. In security circles, experts have been studying the problem for decades. In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that a third of users' passwords could be broken in less than five minutes. A search to find an eight-character password of random letters and digits would take 66 years on average for the big gun of the day, the PDP-11/70, which could crunch through nearly 50,000 combinations a minute in a brute-force search. Yet the study found that users almost invariably chose bad passwords, leading to shortcuts for anyone attacking the security of the system. Of nearly 3,300 passwords examined, the paper's authors, Ken Thompson and Robert Morris Sr, found about 17 percent consisted of three characters or less, nearly 15 percent had four characters that were a letter or a digit, and another 15 percent appeared in one of the dictionaries available at the time. In total, nearly half the passwords could be found in a search lasting less than six hours. Make no mistake: an eight-character password could be very secure, even if attacked by today's high-speed computers. There are more than 6.6 quadrillion different eight-character passwords using the 95 printable ASCII characters. Though some password-cracking programs can test nearly eight million combinations every second on the latest Pentium 4 processor, breaking an eight-character password would still take more than 13 years on average. In fact, operating systems have evolved in the past two decades to increase the security surrounding passwords. At one time, anyone could read the password file -- the collection of encrypted keys for the system's software locks -- making it easy for a hacker to copy the file for later cracking on their own computer system. Now, operating systems typically allow only system administrators access to read the encrypted passwords, forcing hackers to get administrator rights on the system before they can grab the file. In addition, "three strikes" login rules have become common, locking out users who fail to provide the correct passwords in the first few attempts. Digital domino effect
While such defences have made hacking attempts based on repetitive password guesses using a list of common words -- known as a dictionary attack -- less feasible, such attacks are invaluable to hackers as a way of broadening access to a network. A single server or PC breached by an intruder can yield passwords reused on other systems in the network, bypassing the security on the systems in a digital domino effect. The only defence is to make passwords nearly impossible to guess, but such strength requires that the password be selected in a totally random fashion. That's a tall order for humans, said David Evans, an assistant professor of computer science at the University of Virginia. "When humans make passwords, (they) are not very good at making up randomness," he said. Furthermore, because people usually have several passwords to keep track of, locking user accounts with random, but difficult-to-remember, strings of characters such as "wX%95qd!" is a recipe for a support headache. "The idea is to make something that is easy to remember but that will make up a good password," he said. Many security administrators focus their efforts on teaching users how to use various mnemonics to create strong, but memorable, passwords. A common technique takes the first or last letter of each word in a saying or phrase familiar to the user. For example, by using random capitalisation and substituting some punctuation marks and digits for letters, "Friends don't let friends give tech advice" might become "fD!Fg7a." The education doesn't seem to be sticking, and the password problem is getting worse as the percentage of less-tech-savvy computer users increases. Giving away the keys
In a recent study by security firm PentaSafe Security Technologies, the company found that four out of five workers would disclose their passwords to someone in the company, if asked. That's the good news. Another study by the same company found that nearly two-thirds of the workers polled at Victoria Station in London gave the pollster their passwords when asked. Their reward? A cheap pen. Little wonder then that companies are becoming increasingly worried that the keys to their information kingdom are being handled so poorly. "Passwords are one of the biggest security problems that corporate America has," said Chris Pick, associate vice president for product strategy at PentaSafe. "Employees should at least know their company's password policy, but they don't." In fact, potential intruders value a password far more than the single computer it's protecting. A hacker who can get the password list from a server or PC can use those passwords to gain access to other computers on the network, bypassing all the high-tech security erected to keep him out. Moreover, once an intruder has collected the digital keys to a network, it's very hard for administrators to lock him back out. "There are some ISPs who have had 40,000 passwords stolen," said Neohapsis' Shipley. "They are not going to tell all their users to change their passwords." Doing so would only alert a hacker that he has been detected, Shipley said, and the ISP has no way of knowing if a legitimate user or the illicit trespasser has changed an account's password. "It's a support nightmare," Shipley said. "That's one hacker you aren't getting out of the system." The best solution is to not let them in. To block hackers, security companies and researchers are increasingly focusing on strengthening the weak link posed by passwords. Many corporations have boosted user education, concentrating on drilling their employees in the company's password policy. Such policies determine what a valid password is, the minimum number of characters in the string, and how often the keys to the account have to be changed. That still doesn't make the passwords any more memorable, researchers say. Picture this
"The human limitation with precise recall is in direct conflict with the requirements of strong passwords," wrote University of California at Berkeley students Rachna Dhamija and Adrian Perrig in a recent paper discussing the possibility of a graphical password system called Deja Vu. Dhamija and Perrig, as well as several other researchers, are looking to capitalise on users' visual recall, rather than their ability to memorize characters. Deja Vu creates collections of digital art from which a user chooses several selections; then the system trains the user to remember the selections. Researchers at Microsoft, Lucent Technologies, New York University and the University of Virginia, among others, have studied techniques for creating graphical passwords. Such systems have problems as well. While the resulting password tends to be more random than one made of characters, the user training has to be done in secret or others might be able to view the sequence of images that make up the password. Moreover, the same attributes that make graphical passwords easier to remember for the user make them easier to pick up by, say, a not-so-friendly co-worker looking over someone's shoulder, said Chris Wysopal, director of research and development for digital security firm @Stake. "Pictures are going to be easier to shoulder-surf than keyboard passwords," Wysopal said, adding that weaknesses in how such passwords are stored on the computer system could also make them vulnerable to cracking attempts. While research has focused on creating new types of passwords, businesses are attempting to tackle the problem with software products that allow a single, strong password to be used to access all the services on a network. By letting users focus on just memorising a single password, the onus for security is on the administrators who must force users to pick a strong password and change it frequently. This system has its own drawback, of course. A hacker able to wheedle a single password from a user gains access to everything that person had permission to use. That has many nervous companies adopting so-called two-factor authentication, where the second factor is a chip card or biometric. For the extremely security conscious, three-factor authentication is available as well. "If you want real high-level security," said University of Virginia's Evans, "people can authenticate themselves with something they know, like a password; something they have, like a smart card; and something they are, like a biometric." With fingerprint scanners and smart-card readers still not a common option on computers, such technology isn't an immediate solution, said Chris Christiansen, an analyst with market researcher IDC. "There is a huge, huge range of alternatives to passwords," he said. "But nobody thinks passwords are going to go away." Until better alternatives are adopted, the users -- and the passwords they choose -- continue to be the greatest vulnerability.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
