Wednesday, March 19, 2008

What are Passwords?

Passwords are strings of characters used to authenticate computer system users.

Computer users are normally asked to enter their username (or login name) and their password (or pass phrase) before they are give access to a system.

If the person knows the username and the password, the computer systems trusts that they are the account owner and grants them access to their data.



Selecting a good password

Choosing a good password is critical for personal security, requiring password crackers to take additional time and resources to get access to your personal information and computer credentials. A poor password creates a false sense of security, and may endanger your personal information, access to computer resources, or even allow another individual to spawn attacks and viruses using your personal credentials.


Password Construction

Password crackers have many tools at their disposal to cut down the amount of time it takes to crack your password. Selecting a secure password will help to ensure that the password cracker must take as much time as possible to guess or otherwise identify your password. No password is ultimately secure, but if it takes the password cracker longer to crack the password than it takes for the password to become useless, you will have succeeded in thwarting the cracker's attack.



Insecure methods

  • Passwords should not be created using personal information about yourself or your family. A password cracker with incentive to break your personal password will use this information first, making these passwords the least secure passwords. Examples of bad passwords of this type are: your name, birthplace, nickname, family name, names of pets, street address, parents names, names of siblings and the like.
  • Passwords should not be formed of words out of any dictionary or book. Longer words do not generally add much protection. Using known words in any language allows the password cracker to take shortcuts in his password cracking schemes, allowing him to guess your password in a very small fraction of the time it would take otherwise. Examples of bad passwords of this type are: dragon, secret, cheese, god, love, sex, life and similar words.
  • Passwords should not be composed of proper nouns of places, ideas, or people. These words are commonly found in password cracker databases. Examples are: Jehovah, Tylenol, edutainment, Coolio, beesknees, transformers.
  • Passwords should not be simple variations of words. Although these passwords don't appear in a book or dictionary, it is a simple matter to generate a replacement word list automatically. These passwords are more secure than the above two examples, but not significantly more secure. Examples of passwords of this type are drowssap, l0ve, s3cr3t, dr@gon, and similar word-like terms.
  • Passwords should not be a concatenation of two words commonly following each other in a sentence. These passwords are more secure than the above password concepts, but still fall far short for password security. Examples of these kinds of passwords are: whatfor, divineright, bigpig, ilove, farfetched, catspajamas.
  • Do not reuse recently employed passwords again. If you find it difficult to pick a new password, you should wait until you changed you password at least 5 times before reusing an old password, or 12 months if password changes are common.

Secure methods

  • Always change your password immediately if you feel that your password has been compromised. Always do this directly. Never follow links sent to you in email, through an instant messenger client, or from a phone call you received. Ask for administrative assistance if you have trouble changing your password.
  • Do not write your password down where others may find it. If you must write it down, ensure it is in a locked location that is only accessible to you. Hiding your password in places you feel it is unlikely to be found is not helpful. Password crackers have a criminal mind, and generally know where to look.
  • It is important that you change your password on a regular schedule, at least every six months. This assists you by throwing off any cracking efforts that might be in progress, but have not yet been completed. It also helps you if somehow you have compromised your password in some other way without knowing it.
  • Select passwords that use a mixture of capital letters, numbers, and special characters. Take heed however, some systems do not allow you to use some or any special characters. Make sure you check the password criteria for the system you are using ahead of time, if possible.
  • Use substitution of numbers for letters and letters for numbers in your passwords. Although this is not a primary method of securing your password, it will add another layer of security on top of a good password, and will prevent the accidental guess of your password due to circumstances.
  • Where it is not possible to use many characters in your password (less than 14), it is advisable to create a password by creating a passphrase, and selecting letters in a specific position in each word. An example of this is "jJjshnImn2". As you notice, it's unlikely that any cracker would guess this password; however, it is easy to remember when you note the passphrase "John Jacob Jingleheimer Schmidt, his name is my name too". Notice the use of number substitution and capitalization in the password.
  • The best passwords are complete phrases if the system will allow them. They are sometimes called "passphrases" in reflection of this. For example, a good passphrase might be "I clean my Glock in the dishwasher." You can also use number and letter substitution on passphrases as well. Longer passphrases generally mean better password security.




Password Secrecy

Passwords are useless if they are distributed to other than to their intended users. Below is a list of methods to keep your passwords private.

  • If you have a large number of passwords to remember, or you don't feel you can remember important ones, you can use your computer to assist you in the storage of passwords. You can encrypt your password list with an acceptable master password using reliable encryption software. Many password managers are available for this purpose. For experienced users Gnu Privacy Guard and Pretty Good Privacy are free for individual use. Ensure you know how to use encryption properly; improper use of encryption technologies may defeat the whole purpose of using encryption in the first place. Seek help from an encryption expert, or purchase commercial encryption software if understanding is not forthcoming. Do not store your encrypted passwords, or your encryption keys, somewhere that another person may gain access to them.
  • Refrain from using the same password on multiple systems, especially systems that do not serve the same function. Never use passwords you use on Internet forums, games, websites, or otherwise for any important password. It is trivial for the owners of these systems to extract your passwords if they are willing.
  • Never tell another a password through e-mail, instant messenger clients, chat rooms, forums or other shared environments. These conversations are almost never entirely private. Do not tell someone your passwords over a cell phone or cordless telephone, as these are insecure mediums for conversation, and may easily be monitored. If you must tell someone a password over a telephone land line, make sure the party you are speaking with is the only listener. You may want to validate that additional parties are not listening in by calling the original party on a number you know is owned by them.
  • Do not use shared passwords unless it is entirely unavoidable. Passwords shared between multiple users prevents the determination of which user performed which actions.
  • Of course, never tell your passwords to anyone. Once you tell someone else your password, you no longer have control over the scope of password knowledge. If you absolutely must share your account access to a computer system, change the password to a new password first before sharing it, and then change the password back to its original form once the other users are done performing the necessary efforts.

Two-Factor Authentication

The original password concept has been proven to be insecure. There have been cases where passwords have been compromised without a users knowledge, through coersion, or because they were conned into revealing it. The core problem with legacy passwords is that it is very difficult or impossible for an administrator or a computer system to differentiate between a legitimate user and illegitimate user gaining access through the same password. Because of this inherent flaw in the original password system, Two Factor Authentication was invented.

A password is "something you know." This information is understood to be known by a single individual. Two-factor authentication systems add in another factor, "something you have", electronic card key, electronic token, dongle, fob or some other physical item you keep in a secure place when not in use. A common stand in replacement for this second factor when higher levels of security are needed is "something you are". A biological fingerprint, retina pattern, person's weight, specific vital signs or a combination of these items is used in place of the electronic device. The biological factor for authentication and authorization has been found to be unreliable, but not in that it permits those that should not be permitted when used properly, but because there is a tendency for it to deny legitimate users access due to sickness, physical body changes, or other physical impairments.

There are two common methods of authentication when users use electronic components for two-factor authentication, response-only, and challenge-response systems.

Response-only systems require a user to present your electronic device to an electronic reading system, or for you to enter data displayed on the electronic device without user input. The user must provide a username or pin that is not known to outsiders, and then enter specific credential data generated by the electronic device when prompted. In many cases, this mechanism returns the user back to a single factor authentication, where the user does not need to know something, but just posseses the item in question. An example of this is the standard electronic card key used to enter a facility or building perimiter. The user need not provide any other factor to prove their identity.

Challenge-response systems require the user to enter a specific passphrase or pin into the electronic device first, before the device responds with the proper access credentials data. This varient is always considered two-factor authentication, since the user must provide both "something they know" (the pin), and use "something they have" (the electronic device).

Both the response-only and challenge-response systems can be defeated if the user both reveals the private information they keep secret, such as their username or pin code, and the attacker takes ownership of the electronic device. Due to this weakness, the bioligcal factor was invented.

Biological factors have been in use for several decades, and have proven to be reliable and secure ways to prevent unauthorized users from gaining access to secure systems or environments, regardless of the privacy of their passwords used. Systems monitor fingerprints, eye retina patterns, weight, ambient temperature, and other biological signs to determine the authenticity of the user requesting access. Movies have been touting methods of defeating these systems by cutting off body parts, using retinal masks, or forcing legitimate users into bypassing the authentication mechanisms for the attacker. These are largely Hollywood schemes and rarely work in the real world. In most cases where this level of security is required, local or remote monitoring of entry points through cameras and security personnell is common. Deadlock portals, remote activated magnetically controlled entranceways, and visual idenfitication are the norm.

Many simple methods have been devised to defeat weakly designed biological factor systems, so be sure you thoroughly test the security measures you plan to put in place before implementation.

No comments: