May 09, 2001, 3:22 PM —
Passwords -- the first line of defense and the oldest form of security on Unix systems -- might seem a very tired topic. You might even think there would be nothing left to say about passwords but, even today, people are making the same basic mistakes -- choosing obvious passwords, writing passwords down, or sharing passwords -- that they were making 10 years or more ago. When even a systems administrator is likely to set a user's password to "password" whether by intention or because the user has requested it, one has to wonder how much of our new awareness of the importance of system security has impacted day-to-day operations.
Even if user password choices are much the same as they were 10 years ago, however, two dramatic changes have taken place. For one, the number of passwords and other secret codes that each of us has to remember has increased dramatically. Given online banking, online bill paying, access codes for voicemail and unlocking cell phones, secret codes for ATMs, passwords for logging in to Websites, and security codes for offices and maybe even homes, the fact is that we are reaching the point at which we simply have too many secret codes to remember without some kind of crutch, whether it be paper or something else altogether. We run the risk of being locked out of our various accounts and maybe even our homes and offices by an excess of secret codes. If we set all of our passwords the same or write them down to compensate, we introduce risks of another kind.
The second change that has occurred -- the increasing use of security tools -- is a boon to security. Usage of tools -- such as personal firewalls, VPNs, and ssh -- that limit password and data exposure has roughly paralleled the growth of telecommuting. Telecommuters can now securely log in to work systems and update program and data files without fear that they are risking their company's code or Internet presence.
Balancing these two changes -- the password explosion and the general availability of security tools -- against each other, where do we stand with respect to the vulnerability of passwords today? Before we answer this question, let's review why passwords are vulnerable in the first place.
Basic authentication
In the simplest and most common form of authentication (the process of verifying the identity of an individual), only the user's login name and password are used. The assumption is, of course, that only the intended user knows the password. Since the username is effectively public (i.e., it is almost always the user's email address as well and printed on business cards), the secrecy of the password is the only thing that stands between an imposter and the user's files.
Typical computer users, even today, seem to think that some "clever" substitution of letters (e.g., replacing the letter "o" with the digit "0") or a keyboard pattern (e.g., "qwerty") are sufficient to make their passwords hard to guess. In fact, there are extremely few, if any, tricks of this nature that haven't been thought of by those who seek to break passwords. A safer bet is to assume that any clever scheme that you can imagine has already been thought of by hundreds, if not thousands, of people.
Passwords are vulnerable for two basic reasons: 1) they are often passed over networks in clear text, and 2) given adequate resources (knowledge, tools, and compute power), they can be guessed or broken.
Even if your password is a "good password" according to the most stringent security guidelines, it may still be vulnerable. Any Unix user with the root password to the box on his desk can sniff passwords off the network and many users still exclusively use tools like telnet that transmit passwords in clear text. One of the oldest and simplest hacking tricks in the book is to use a sniffer to grab telnet packets off the network and extract the username and password. You don't even need any special tools, which typically are built into the operating system.
The worst passwords are those that are easy to guess. If you make your password the same as your home address (e.g., 7610Park), anyone who knows your address and knows your habits might guess it. If you're a sports fan or love classical music -- in fact, if you have any obvious interests -- you should be especially careful to avoid using names and words related to these interests as passwords.
