P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
PP
PasswordsPasswords
Jeremy Rasmussen,Sypris Electronics, LLCIntroduction 1
Types of Identification/ Authentication 1
History of Passwords in Modern Computing 2
Green Book: The Need for Accountability 2
Password Security—Background 3
Information Theory 3
Cryptographic Protection of Passwords 3
Hashing 3
Password Cracking Tools 4
Password-Cracking Approaches 4
Approaches to Retrieving Passwords 5
Password Sniffing 5
Types of Password-Cracking Tools 6
Password Security Issues and Effective
Management 6Enforcing Password Guidelines 6
Guidelines for Selecting a Good Password 7
Password Aging and Reuse 7
Social Engineering 7
Single Sign-On and Password Synchronization 8
Unix/Linux-Specific Password Issues 8
Microsoft-Specific Password Issues 8
Password-Cracking Times 9
Password Length and Human Memory 9
An Argument for Simplified Passwords 10
Conclusion 11
Glossary 11
Cross References 12
References 12
Further Reading 13INTRODUCTION
The ancient folk tale of Ali Baba and the forty thieves
mentions the use of a password. In this story, Ali Baba
finds that the phrase “Open Sesame” magically opens the
entrance to a cave where the thieves have hidden their
treasure. Similarly, modern computer systems use pass-
words to authenticate users and allow them entrance to
system resources and data shares on an automated basis.
The use of passwords in computer systems likely can be
traced to the earliest timesharing and dial-up networks.
Passwords were probably not used before then in purely
batch systems.
The security provided by a password system depends
on the passwords being kept secret at all times. Thus,
a password is vulnerable to compromise whenever it is
used, stored, or even known. In a password-based authen-
tication mechanism implemented on a computer system,
passwords are vulnerable to compromise due to five es-
sential aspects of the password system:Passwords must be initially assigned to users when they
are enrolled on the system;
Users’ passwords must be changed periodically;
The system must maintain a “password database”;
Users must remember their passwords; and
Users must enter their passwords into the system at au-
thentication time.Because of these factors, a number of protection
schemes have been developed for maintaining passwordsecurity. These include implementing policies and mecha-
nisms to ensure “strong” passwords, encrypting the pass-
word database, and simplifying the sign-on and password
synchronization processes. Even so, a number of sophis-
ticated cracking tools are available today that threaten
password security. For that reason, it is often advised that
passwords be combined with some other form of security
to achieve strong authentication.TYPES OF IDENTIFICATION/
AUTHENTICATION
Access control is the security service that deals with grant-
ing or denying permission for subjects (e.g., users or pro-
grams) to use objects (e.g., other programs or files) on
a given computer system. Access control can be accom-
plished through either hardware or software features, op-
erating procedures, management procedures, or a combi-
nation of these. Access control mechanisms are classified
by their ability to verify the authenticity of a user. The
three basic verification methods are as follows:What you have (examples: smart card or token);
What you are (examples: biometric fingerprint [see
Figure 1] or iris pattern); and
What you know (examples: PIN or password).Of all verification methods, passwords are proba-
bly weakest, yet they are still the most widely used
method in systems today. In order to guarantee strong1