“ Hackers Beware “ New Riders Publishing 326 use confusing letters or they used only one—for example, no passwords containing the letter L or the letter o. This way, you would know that confusing items were really numbers. Usually, letters were left out because there were a lot more letters than numbers to choose from. The second thing companies did was they added vowels in key spots, so that the passwords were not dictionary words but were still pronounceable, like gesabaltoo. This made a password easier to remember because a user could at least sound it out. Another trick was to take dictionary words and replace letters with numbers—for example, ba1100n, where the letter l is replaced with one and o is replaced with zero. These, however, were quickly discarded because it is fairly easy to write a program that checks for these permutations. Despite these innovations, users still wrote their passwords down, because they had difficulty remembering them. Most companies eventually gave up and allowed users to pick their own passwords. The main concern was that users would use guessable passwords. Within a short time period, everyone’s concerns came true when companies realized that most users picked easy-to-guess passwords. In response, companies issued password policies that all users had to sign. These policies clearly stated that passwords must be hard to guess and other details. In most companies, these policies had little impact on the strength of passwords. Finally, companies decided that if users were going to pick their own passwords, there needed to be some way to automatically enforce the password policy. This was done by utilizing third-party programs that could be used to check a user’s password; if it did not adhere to the policy, the program would force the user to change it. This improved the strength of the password, but because they were harder to remember, people started writing their passwords down again. Future of Passwords Today, most companies are either fighting the endless battle with users or are using one-time passwords. One-time passwords can be expensive but provide a nice alternative. With a one-time password, a user is given a device that generates a new password at certain time intervals, usually every minute. This device is keyed with the server, so that both devices generate the same password at the same time. Now, when a user wants to log on to the system, she looks at the display and types in the password. This works nicely because a user has a different password each time he logs on. Even if an attacker gets the password, it is only good for one minute. “ Hackers Beware “ New Riders Publishing 327 In addition to time-based, one-time passwords, there are devices that support challenge response schemes. With these devices, the user provides his user ID to the system, and the system responds with a challenge. The user takes this challenge and enters it into the device. The device then provides a response that the user enters as the password. One issue with this scheme is that the device the user has to carry with her must allow her to provide input to the device. This tends to make the devices more expensive. A problem with both types of device is that they are subject to getting lost or stolen. With these devices, users do not have to remember passwords, but they do have to remember to keep the device with them at all times. If you look around and see how often people forget their badges, you can better understand the scope of the problem. Another technology that has been out for a while, but gets a lot of resistance, is biometrics. Biometrics uses human features to uniquely identify an individual. For example, everyone’s fingerprint is different, so why not have a fingerprint reader at each machine to determine if the user is really who he says he is? The following web site contains detailed information on biometrics and how some of the techniques work: http://www.biometricgroup.com/. The following are some of the common biometrics that are being used: • Fingerprint scan • Hand scan • Retinal scan • Facial scan • Voice scan Each of these techniques has different reliability, costs, and risks associated with it. Some of the advantages of biometrics are that it requires nothing for the user to remember, and the data is hard to forge. Both are key requirements for good authentication systems. Biometrics are also with a user at all times and are very difficult to lose. One of the biggest complaints about biometrics is invasion of privacy. Most people are very concerned about having their personal information stored and archived on servers. A lot of people view this as the first step toward large government databases, which would lead to no privacy. If you think about it, it can be very scary. Think of a system where someone can identify you anywhere and any time. Another concern is safety. Most people are not comfortable with someone scanning their eye, especially because this equipment has not been around long enough to know the long-term effects. The last problem is cost. Currently, having each user log on to the system with a password does not cost a lot of money. With “ Hackers Beware “ New Riders Publishing 328 biometrics, a reader has to be attached to every single device that a user could log on from. This means, if there are over 1,000 machines at a company, every single machine, including machines that are at employees’ homes that are used to log on remotely, must also have these devices installed. As you can imagine, the price tag for implementing this can easily exceed a million dollars for a mid-size company. As with any system, currently most companies have decided that the disadvantages outweigh the advantages and therefore are not using biometrics. However, as passwords get easier and easier to crack, you might see more and more companies looking towards biometrics as the solution. “ Hackers Beware “ New Riders Publishing 329 What Really Works: A Real Life Example As you can see from looking at the history of passwords, most of the things companies have implemented to protect passwords do not work, which can lead to a high level of frustration for the company and the end user. Based on the frustration factor, one of the most common questions I get asked when I lecture on this topic is, “What can we do, or what do you recommend to fix the problem?” If I merely told you what I have found to work, you might not believe me; so I will give some facts to back my position. When I headed up internal security for a fairly large company, one of the problems was passwords. When I first started, we scanned everyone’s passwords and were able to crack 80 percent of the passwords in ten minutes and 95 percent of the passwords in fewer than five hours. This was a huge security hole, so I put together a password policy that clearly stated that all passwords must contain at least one letter, one number, and one special character and should not contain a word. Two weeks later, I re-ran the password cracker and was able to crack 78 percent of the passwords in ten minutes. As you will see in the next section, password policies are important from a corporate and legal standpoint, but in some cases have little affect on the user. Next, I decided to send emails to users that consistently had weak passwords to explain to them the problem and asked them to pick a stronger password. We also sent them directions on how to change their passwords and said that if they needed any help, they could call us. Again, we ran the password cracking program and were still able to crack 77 percent of the passwords. As you can tell, we were not making a lot of improvements. Then, we decided to post paper messages on their monitors, so that we knew that they saw it. Besides causing several people to pull me aside and curse and verbally abuse me, it had no effect. Users became very upset because they felt that we were becoming big brother and taking too much control. If you enjoy being screamed at, this should be top on your list. Finally, I hit on somethin g that worked. I realized that most people at the company did not understand or appreciate security. I received permission from the CIO to have mandatory security awareness sessions. “ Hackers Beware “ New Riders Publishing 330 After the sessions, not only did users come up to me and explain that they always thought security people were annoying, but now they understood what a key role we play in the success of the company. I even had the unthinkable happen: difficult users came up to me and apolo g ized for g ivin g us a hard time and promised to do their part. If that last sentence does not make a believer out of you, the percentages will. After I gave the sessions to most of the employees, we ran the cracking program again and only cracked 18 percent of the passwords in ten minutes. If you decide to do hold security awareness sessions, here are some tips to make them successful: • Hold the session on a Thursday or Friday. • Serve food. • Have it during lunch or in the afternoon. • Limit it to no more than two hours with questions. • Make it interesting and involve the users. I usually like to hold the sessions at noon on Friday and serve pizza—what works even better is 2:30 on Friday and serve ice cream. It is amazing what you can get people to sit through if you g ive them food. If you serve hot fud g e with the ice cream, you can even get the CIO to show up! I knew that user awareness sessions were a good thing to do, but I did not realize the importance until after the sessions. Table 8.1 is a chart comparing the different methods of raising user awareness. Table 8.1. Methods of Raising User Awareness on Passwords Method Passwords Cracked in 10 Minutes Comments Nothing 80% This is what I find at most companies. Password policy 78% Even though there was not a huge impact, a policy is still critical. Email 77% Most users ignore email from security. Post Message 77% Users become irate. User awareness sessions 18% Clearly the best strategy. I am now a firm believer that the only way to have strong passwords and g ood security is to have educated users. Don’t take this the wron g way, but if you have user awareness sessions and it does not improve your security, you did it wrong. Let the users fill out feedback forms so that you know what areas you should change the next time you give these sessions. Also, limit them to “ Hackers Beware “ New Riders Publishing 331 around 30 people so that you can have good interaction. Even if your security does not improve, you will be known companywide as the cool dude that gives out ice cream, which isn’t a bad thing. Password Management Now that you have an understanding of the current problems, let’s look at password management issues. Most companies require users to come up with random passwords, but have no policies to support this requirement. Let’s look at why you need passwords and corresponding policies and what exactly I mean when I say you need strong passwords. Why Do We Need Passwords? The answer to this question might seem obvious, but believe it or not there are a lot of people that think passwords are a nuisance and should not be used. One common question users ask is “Why do we need passwords? Don’t we trust everyone?” The answer to that question is unfortunately “No, we do not trust everyone.” Trust me, I have a long list of companies that had no passwords because they trusted everyone. There is only one problem with the list, most of the companies are no longer in business! Trust your friends and family, not your employees. Another argument for trusting employees is, “We trust them everyday by giving them access to buildings and equipment, and they rarely steal computers. What makes us think they would steal information?” The answer to that is a little tricky. We trust users to a point. Most users would not steal computers because it is not easily done, is fairly easy to trace, and usually companies quickly realize the equipment is missing. Computers also have an obvious value. On the other hand, it is hard to tell if someone takes an unauthorized copy of a document home, and for most people, putting a value on a document is difficult. Based on the fact that it is hard to control access to electronic information, passwords are very important, not only to protect individual privacy but also to protect sensitive information and track who has access to it. Therefore, passwords provide a nice mechanism to uniquely identify individuals and only give them access to the information they need. Just like most houses have keys so people can secure their belongings, passwords provide the keys to protect corporate information. Why Do You Need a Password Policy? Even though password policies do not cause all users to have strong passwords, they are still important. One of the problems with security is “ Hackers Beware “ New Riders Publishing 332 that people are always looking for the silver bullet. They want one thing that will fix all of their security issues. Security policies, and more specific password policies, sometimes fall into this category. Administrators feel that if they have a strong password policy, they will never have to worry about weak passwords. That is far from the truth, but the policies are still necessary. Whenever you are implementing a new security measure, it is always important to have proper expectations. This way, you can tell how successful it is. Password policies are important for several reasons. First, it explains to users what is expected of them and what the rules of the company are in regard to passwords. Security professionals might take it for granted that a strong password contains letters, numbers, and special characters and is very hard to guess, but an average user probably does not know that. The security policy lets users know what passwords should contain and why passwords are important and gives hints for picking good passwords. If you just send out a policy stating that all passwords must contain certain letters and be hard to guess, most users will get frustrated and try to work around it. If you explain to them why this is important and give them hints, they are more likely to follow the policy. Another key aspect of the policy is enforcement. On one hand, your policy should state what action the company can take if a user does not follow the policy. For example, failure to adhere to the policy can result in termination of the employee. On the other hand, you do not want users to take it as a threat, because they get very defensive. If you have not figured it out, defensive users are very bad from a security standpoint. If you tend to have a large number of defensive and irate users, you might want to put a bulletproof vest in your security budget. (I actually did that once; unfortunately, the budget was not approved, but I tried.) You also want to make sure the policy can be consistently enforced. If the policy states that any employee who does not follow the policy will have a security violation put in her permanent record, this must be followed for any employee that has a weak password. Too often, companies use strong wording but only enforce the policy for some employees. In those cases, the employees that did not follow it have a strong case against the company. Consistency and precedence are key. Having a strong password policy is also beneficial for legal reasons. If a company wants to take a strong stance on security and be able to take legal action against an individual, it needs clearly documented policies. For example, let’s say that an attacker breaks into the company and compromises a large amount of information because of an employee’s weak password. To take action against the person with the weak password, the company needs a clear password policy that everyone is aware of and is signed and clearly enforced. Most users are not aware of “ Hackers Beware “ New Riders Publishing 333 this point, or this liability. If your company has a clear policy on passwords that it enforces and you (the employee) have a weak password that an attacker uses to compromise the system, you could be in some legal trouble. What Is a Strong Password? I keep talking about strong versus weak passwords, but what actually constitutes a strong password? Before I tell you what I consider a strong password, it is important to point out that the definition of a strong password can change drastically based on the type of business a company is in, its location, the people that work for the company, and so on. I stress this because the information I provide for what constitutes a strong password can change drastically based on your environment. This definition also changes as technology increases. What was considered a strong password five years ago is now considered a weak password. The main reason for this change is the speed of computers. A state-of-the-art computer system today is considerably faster and cheaper than what was state-of-the-art five years ago. A password that took several years to crack with the fastest computer five years ago can be cracked today in under an hour. So, as technology changes and computers become faster and cheaper, passwords must become stronger. Based on current technology, the following characteristics identify what I believe to be a strong password: • Changes every 45 days. • Minimum length of ten characters. • Must contain at least one alpha, one number, and one special character. • Alpha, number, and special characters must be mixed up and not appended to the end. For example, abdheus#7 is bad, but fg#g3s^hs5gw is good. • Cannot contain dictionary words. • Cannot reuse the previous five passwords. • Minimum password age of ten days. • After five failed logon attempts, password is locked for several hours. As you read this, you probably can come up with arguments on why some of the items are invalid, but the thing to remember is that there is no perfect solution. When you come up with a password policy, tradeoffs have to be made with the goal of finding the right mix that fits best with a particular company (and its users). “ Hackers Beware “ New Riders Publishing 334 How Do You Pick Strong Passwords? Most users have weak passwords because they don’t know what constitutes a strong password and therefore don’t know how to create strong passwords for their accounts. I recommend educating users to use phrases as their passwords instead of words. Picking a password that is easy to remember, contains no dictionary words, and has numbers and special characters is no easy task. Remembering a phrase, however, is fairly easy; you simply use the first letter of each word as your password. If I tell you that your password is WismtIs!@#$%5t, you would probably say, “There is no way that I can remember that password!” But if I ask you to remember the phrase, “When I stub my toe I say ‘!@#$%’ five times,” you could probably remember it. Simply take the first letter of each word in the phrase, and you have your password. I tell most people to pick a phrase that relates to their family or personal interests. You cannot use just a word that relates to family or personal interests, because it would be too easy for an attacker to guess; but because your are using phrases, it is okay to pick something related to your family or personal interests. For example, you will never forget when or where your child was born. So, one possible phrase is, “My 1 st child was born at Oakridge Hospital on 7/14.” Now my password would be M1cwb@Oho7/14. That password would be extremely difficult for an attacker to guess, even if he knows when and where your child was born, because there are so many different combinations and phrases that you can use. I have found that educating users and explaining to them how to pick phrases instead of words has a tremendous impact on the overall strength of passwords for a corporation. How Are Passwords Protected? So far in this chapter, we have covered a lot about passwords from a user’s perspective and things users can do to make their passwords harder to crack. Basically, if a user has a weak or blank password, there is no need to crack the password—an attacker would just guess it. In cases where a password cannot be easily guessed, an attacker has to crack the password. To do this, he must know how passwords are stored on the system. Let’s look at it from a system perspective. What does the system do to keep passwords secure? Basically, any password stored on a system must be protected from unauthorized disclosure, unauthorized modification, and unauthorized removal. “ Hackers Beware “ New Riders Publishing 335 Unauthorized disclosure plays a key role in password security. If an attacker can obtain a copy of your password and read it, he can gain access to the system. This is why it is important that users do not write down their passwords or reveal them to co-workers. If an attacker can obtain a copy of a user’s password, he can become that user, and everything the attacker does could be traced back to that user. Unauthorized modification is important, because even if an attacker cannot read your password, he still might be able to modify it by overwriting the password with a word that he knows. This, in essence, changes your password to a value that the attacker knows, and he can do this without knowing the user’s actual password. This has been a problem with various operating systems. In early versions of UNIX, there were attacks where an attacker could not read someone’s password, but would just overwrite the encrypted password with an encrypted password that the attacker knew. On early UNIX systems, the user IDs and passwords were stored in a readable text file called /etc/passwd. An attacker would create an account and give it a password that he knew. He would then try to gain writable access to /etc/passwd and if he could, he would copy the encrypted password of the account he just set up and overwrite the encrypted password of root. Then he could log in as root, without ever knowing the original password of root. A similar modification attack is available with Windows NT. There is a program called LinNT, which creates a Linux bootable floppy for NT. An attacker could boot off the floppy, which would boot the system into Linux. This allows the attacker to list the user accounts on the NT system and overwrite any of the passwords with a password he chooses. This allows an attacker to perform an unauthorized modification of a password, without ever knowing the user’s original password. Unauthorized removal is also important because if an attacker can delete an account, he can either cause a Denial of Service attack or recreate the account with a password of his choosing. Denial of Service attacks are a class of attacks where the goal is to deny legitimate users access to the system. For example, if over the weekend I broke into your system and deleted every user account, I would cause a Denial of Service attack because when everyone came in on Monday, they could not log on to the system and they would be denied access. Chapter 6, “Denial of Service Attacks,” covers these attacks in detail. To protect passwords from unauthorized disclosure, modification, and removal, passwords cannot be stored in plain text on the system. Think about this for a minute. If there is a text file on the system that contains all of the passwords, it would be trivial for someone to just read the file and get everyone’s password. To defeat this, there needs to be a more [...]... on the user account, the system looks up the user and finds her salt and encrypted password The system takes the password that the user entered, combines it with the salt, and runs it through the hash function The system then takes the output and compares it to the stored encrypted string If there is a match, the user is given access If there is not a match, the user is denied access “ Hackers Beware. .. cracker to check the strengths of passwords without ever cracking the passwords “ Hackers Beware “ New Riders Publishing 3 45 For example, in most companies, there are separate administrators who are responsible for certain machines In these cases, you might not want the security administrator to know the password for every machine because the risk factor is too high The security administrator can still... stores it The problem with this is that if two people have the same password, the hash is the same The way the system uses a salt is that for each user it calculates a random number— the salt When the user enters a new password, the system first combines the password with the salt and then computes the hash The system not only stores the hash, but also the salt with the user ID Now, when a user authenticates... every 60 days The administrator overheard people saying that “ Hackers Beware “ New Riders Publishing 342 they had the same password for the last six months After further investigation, they realized that users were changing their passwords to new passwords, immediately changing the passwords five times to overcome the restriction, finally changing them back to the old passwords In other words, users... but “ Hackers Beware “ New Riders Publishing 353 L0phtcrack is the most versatile program with the most features, and it is also the easiest to use In addition to L0phtcrack, this chapter covers several other programs and compares their different features The bulk of this chapter is devoted to using these programs and learning how they can help improve and strengthen your password security A major theme... before running these tools on your network Unless you are the owner and CEO of the company, always check with someone above you and get written permission prior to running these tools Even if you are the VP of security, check with the CTO, because what you think is reasonable and part of your job might be thought of very differently by senior executives Also, never use these tools to try to embarrass... passwords with that salt to see if there was a match Once there was a match, the attacker would have to move on to the next user and do the same thing As you can see, this would take a much longer time to perform This is not a big deal if there are only 5 accounts on the system, but imagine if there are 5, 000 accounts, each with a different salt With that many users, you can start to see the benefit of using... being the number zero) is an NT password-auditing tool that computes NT passwords based on the cryptographic hashes stored on the operating system For security reasons, and as covered in “ Hackers Beware “ New Riders Publishing 359 Chapter 8, “Password Security, ” the operating system does not store passwords in clear-text The passwords are encrypted using a one-way hash algorithm and are stored on the. .. finding the encryption algorithm, would be difficult, but it is based on the philosophy of encryption algorithms The security of an encryption algorithm is based on the key that is used and not on the secrecy of the algorithm Because there is no way to prove whether an encryption algorithm is secure, the closest you can get to proving it is secure is to give it to a bunch of smart people; if they cannot... Windows-directory\repair This copy is not very useful because no other accounts have been setup yet; it only contains the default accounts Remember, however, that the administrator is a default account This is another reason to make sure your administrator account has a strong password If the administrator updates the repair disk, this information is also updated “ Hackers Beware “ New Riders Publishing 355 How . The system then takes the output and compares it to the stored encrypted string. If there is a match, the user is given access. If there is not a match, the user is denied access “ Hackers. response that the user enters as the password. One issue with this scheme is that the device the user has to carry with her must allow her to provide input to the device. This tends to make the devices. device is that they are subject to getting lost or stolen. With these devices, users do not have to remember passwords, but they do have to remember to keep the device with them at all times.