The Craziness of Passwords

Written By:
Content Copyright © 2010 Bloor. All Rights Reserved.

For many users, one of their only interfaces with information security is via their passwords. Once successfully logged into a system little of the security infrastructure that surrounds them is – or maybe better still should be – visible unless of course something goes wrong.

Unfortunately passwords are a nightmare to manage.

On the one hand we insist that passwords should be difficult to guess, and on the other hand we insist that users never write their passwords down. Never before have we expected so much of our users, and never before have we laid ourselves open to such ridicule.

This article will explore some issues about passwords, password management and user’s attitudes to the use of passwords. It is based on a webinar presentation given on 9/3/10 which is available for downloading.

Password 101: Creating Correct Passwords
Organisations all seem to have their own take on the correct use of passwords, but the basics of password creation seem to remain the same;

  • The password should be over 6 characters long, ideally around 12 or 14
  • Each password should contain a mix of numbers and symbols, lowercase and uppercase letters
  • The chosen password should not be in a dictionary, have number or letter sequences or contain information that can be guessed – such as the name of a partner, pet or child

And then we insist it should be easy to remember!

To complicate matters further, some organisations put in place password expiration policies, so that a given password will expire on a regular basis – maybe every 30 days. This can be implemented using system administration tools and users can normally be prevented from entering recently used passwords. This process of refreshing passwords may address issues such as brute force attacks, with the password being changed before an attacker has successfully tried every combination of letters and numbers, but the downside is that some systems allow passwords to be changed by simply adding an incremental number to the end of the password – hardly big time security.

It is better to break down the process of creating a passphrase into logical steps that allows users to form their own more robust secret code.

The first step is to think of a sentence. This can be as ridiculous as a user can think of, within reason. The most important point is that it means something to them, and hopefully only them. This phrase is then broken down into a row of letters that is then further mangled by the addition of extra characters, numbers and symbols.

The resultant pass code should be secure against most types of attack, assuming the user doesn’t write it down… Of course therein lies the flaw as the world’s most secure passphrase is only as secure as the post it note it is written on.

Password Implementations
Unfortunately, even with seemingly secure passwords we have been let down by the implementation of security systems.

One of the most famous is the LAN Manager hash (or LM hash), an algorithm that is very old dating back to the original days of Microsoft LAN Manager, a networking application that was sold in the early 1990’s. The LM hash uses DES, or Data Encryption Standard, which is a well known block cipher. Out of interest DES is showing its age and is now considered no longer fit for purpose as it only has a 56-bit key size, small enough to be brute force attacked within a few hours, but this is not the issue at hand.

In this case, the insecurity of the system is more in the way the security has been implemented rather than the specifics of DES itself. In essence the implementation of LM hash in Lan Manager introduced weaknesses many years ago and which still haunt us today.

This is how daft the implementation of LM Hash is;

  • First, passwords are restricted to the ANSI character set. As we have seen this produces a smaller number of character options for a hacker to attack.
  • Second, any password longer than 7 characters is divided into two and hashed separately. This basically creates two small targets to attack.
  • And finally, all lower case letters are changed to uppercase letters before the hash is computed, again further reducing the combination of letters that need to be guessed.

This has resulted in a weak password model that has been carried forward into later versions of Windows to ensure backwards compatibility, and it is only later versions of Windows such as Vista that switch off this capability by default.

In this case the implementation of the security system has let us down, not the user and their passwords.

Dictionary Words and Crackers
One of the cardinal rules of passwords given to users is Don’t use dictionary words. This is often met with a degree of incredulity as they cannot fathom out how anyone could possibly work out their password as there are lots of words in the dictionary.

Password crackers have been around for a long time, and are now very sophisticated pieces of software.

Popular password crackers often have huge lists of standard words. For example the John the Ripper password cracker has a set of word lists in over 20 languages plus lists of common passwords and derivatives (or mangled words) including: Afrikaans, Croatian, Czech, Danish, Dutch, English, Finnish, French, German, Hungarian, Italian, Japanese, Latin, Norwegian, Polish, Russian, Spanish, Swahili, Swedish, Turkish, and Yiddish.

This amounts to in excess of 40 million entries that can be quickly searched. To put that into context the Oxford English Dictionary has around 170,000 entries covering contemporary English language words.

Brute force attacks can often break passwords relatively quickly which shocks users. Here are some examples for a “fast” PC;

Password: karen
Possible combinations: