Passwords Part-03

Passwords Part-01

Passwords Part-02

Passwords Part-03

Single Sign-On and Password Synchronization

One issue that has irritated users in large secure environments is the burgeoning number of passwords they have to remember to access various applications. A user might need one password to log onto his or her workstation, another to access the network, and yet another for a particular server. Ideally, a user should be able to sign on once, with a single password, and be able to access all the other systems on which he or she has authorization.
Some have called this notion of single sign-on the “Holy Grail” of computer security.

Password - PsvpTamil

The goal is admirable to create a common enterprise security infrastructure to re-place a heterogeneous one. And it is currently being at-tempted by several vendors through technologies such as the Open Group’s Distributed Computing Environment (DCE), MIT’s Kerberos, Microsoft’s ActiveDirectory, and Public-Key Infrastructure (PKI)-based systems. However, few, if any, enterprises have actually achieved their goal. Unfortunately, the task of changing all existing applications to use a common security infrastructure is very difficult, and this has further been hampered by a lack of consensus on a common security infrastructure. As a result, the disparate proprietary and standards-based solutions cannot be applied to every system. In addition, there is a risk of a single point of failure. Should one user’s pass-word be compromised, it is not just his local system that can be breached but the entire enterprise.

Password synchronization is another means of trying to help users maintain the passwords that they use to log onto disparate systems. In this scheme, when users periodically change their passwords, the new password is applied to every account the user has, rather than just one. The main objective of password synchronization is to help users remember a single, strong password. Password synchronization purports to improve security because synchronized passwords are subjected to a strong password policy, and users who remember their passwords are less likely to write them down.

To mitigate the risk of a single system compromise being leveraged by an intruder into a network-wide attack:
Very insecure systems should not participate in a password synchronization system,
Synchronized passwords should be changed regularly, and
Users should be required to select strong (hard to guess) passwords when synchronization is introduced.

Unix/Linux-Specific Password Issues
Traditionally on Unix and Linux platforms, user information, including passwords, is kept in a system file called /etc/passwd. The password for each user is stored as a hash value. Despite the password being encoded with a one-way hash function and a salt as described earlier, a password cracker could still compromise system security if he or she obtained access to the /etc/passwd file and used a successful dictionary attack. This vulnerability can be mitigated by simply moving the passwords in the /etc/passwd file to another file, usually named /etc/shadow, and making this file readable only by those who have administrator or “root” access to the system.
In addition, Unix or Linux administrators should ex-amine the password file (as well as the shadow pass-word file when applicable) on a regular basis for potential account-level security problems. In particular, it should be examined for the following: Accounts without passwords. UIDs of 0 for accounts other than root (which are also superuser accounts). GIDs of 0 for accounts other than root. Generally, users don’t have group 0 as their primary group. Other types of invalid or improperly formatted entries.
User names and group names in Unix and Linux are mapped into numeric forms (UIDs and GIDs, respectively). All file ownership and processes use these numerical names for access control and identity determination throughout the operating system kernel and drivers.
Under many Unix and Linux implementations (via a shadow package), the command pwckwill perform some simple syntax checking on the password file and can identify some security problems with it. pwck will re-port invalid usernames, UIDs and GIDs, null or nonexistent home directories, invalid shells, and entries with the wrong number of fields (often indicating extra or missing colons and other typos).
Microsoft-Specific Password Issues
Windows uses two password functions a stronger one designed for Windows NT, 2000, and XP systems, and a weaker one, the LAN Manager hash, designed for back-ward compatibility with older Windows 9X networking login protocols. The latter is case-insensitive and does not allow passwords to be much stronger than seven characters, even though they may be much longer. These passwords are extremely vulnerable to cracking. On a standard desktop PC, for example, L0phtCrack can try every short alphanumeric password in a few minutes and every possible keyboard password (except for special ALT-characters) within a few days. Some security administrators have dealt with this problem by requiring stronger and stronger passwords; however, this comes at a cost (see An Argument for Simplified Passwords).
In addition to implementing policies that require users to choose strong passwords, the CERT Coordination Center provides guidelines for securing passwords on Windows systems (CERT, 2002): Using SYSKEY enables the private password data stored in the registry to be encrypted using a 128-bit cryptographic key. This is a unique key for each system.

By default, the administrator account is never locked out; so it is generally a target for brute force logon attempts of intruders. It is possible to rename the account in User Manager, but it may be desirable to lock out the administrator account after a set number of failed at-tempts over the network. The NT Resource Kit provides an application called passprop.exethat enables Administrator account lockout except for interactive logons on a domain controller.

Another alternative that avoids all accounts belonging to the Administrator group being locked over the network is to create a local account that belongs to the Administrator group, but is not allowed to log on over the network. This account may then be used at the console to unlock the other accounts.

The Guest account should be disabled. If this account is enabled, anonymous connections can be made to NT computers. The Emergency Repair Disk should be secured, as it contains a copy of the entire SAM database. If a malicious user has access to the disk, he or she may be able to launch a crack attack against it.

Password-Cracking Times
Let us start with a typical password of six characters. When this password is entered into a system’s authentication mechanism, the system hashes it and stores the hashed value. The hash, a fixed-sized string derived from some arbitrarily long string of text, is generated by a formula in such a way that it is extremely unlikely that other texts will produce the same hash value unlikely, but not impossible. Because passwords are not arbitrarily long they are generally 4 to 12 characters this reduces the search space for finding a matching hash. In other words, an attacker’s password-cracking program does not need to calculate every possible combination of six character passwords. It only needs to find a hash of a six-character ASCII-printable password that matches the hash stored in the password file or sniffed off the network.
Because an attacker cannot try to guess passwords at a high rate through the standard user interface (as mentioned earlier, the time to enter them is prohibitive, and most systems can be configured to lock the user out after too many wrong attempts), one may assume that the attacker will get them either by capturing the system pass-word file or by sniffing (monitoring communications) on a network segment. Each character in a password is a byte.

One does not typically need to consider characters with a leading zero in the highest order bit, because print-able ASCII characters are in codes 32 through 126. ASCII codes 0–31 and 127 are unprintable characters, and 128–255 are special ALT-characters that are not generally used for passwords. This leaves 95 printable ASCII characters.
If there are 95 possible choices for each of the six password characters, this makes the password space 956 = 735, 091, 890, 625 combinations. Modern computers are capable of making more than 10 billion calculations per second. It has been conjectured that agencies such as the NSA have password-cracking machines (or several machines working in parallel) that could hash and check passwords at a rate of 1 billion per second. How fast could an attacker check every possible combination of six-character passwords? 735,091,890,625/1,000,000,000 = about 12 minutes (see Table 2).
What if the system forces everyone to use a seven-character password? Then it would take the attacker 19 hours to brute-force every possible password. Many Windows networks fall under this category. Due to the LAN Manager issue, passwords on these systems cannot be much stronger than seven characters. Thus, it can be assumed that any password sent on a Windows system using LAN Manager can be cracked within a day. What if the system enforces eight-character passwords? Then it would take 77 days to brute-force them all. If a system’s standard policy is to require users to change passwords every 90 days, this may not be sufficient.
Choosing a longer password does not help much on systems with limitations such as the LAN Manager hash is-sue. It also does not help if a password is susceptible to a dictionary or hybrid attack. It only works if the password appears to be a random string of symbols, but that can be difficult to remember.

A classic study by psychologist George Miller showed that humans work best with the magic number 7 (plus or minus 2). So it stands to reason that once a password exceeds nine characters, the user is going to have a hard time remembering it (Miller, 1956).
Here is one idea for remembering a longer password. Security professionals generally advise people never to write down their passwords. But the user could write down half of it—the part that looks like random letters and numbers and keep it in a wallet or desk drawer. The other part could be memorized—perhaps it could be a misspelled dictionary word or the initials for an acquaintance, or something similarly memorable. When concatenated together, the resulting password could be much longer than nine characters, and therefore presumably stronger.
Some researchers have asserted that the brain remembers images more easily than letters or numbers. Thus, some new schemes use sequences of graphical symbols for passwords. For example, a system called PassFace, developed by RealUser, replaces the letters and numbers in passwords with sequences or groups of human faces. It

Table 2 Password Cracking Times

Number of Chars in Password

Number of Possible Combinations of 95 Printable ASCII Chars

Time to Crack (in hours)a

Number of Possible Combinations of All 256 ASCII Chars

Time to Crack (in hours)a






















































































aAssume 1 billion hash & check operations/second.

is one of several applications that rely on graphical images for the purpose of authentication. Another company, Passlogix, has a system in which users can mix drinks in a virtual saloon or concoct chemical compounds using an onscreen periodic table of elements as a way to log onto computer networks.
Employing all of the guidelines for a strong password (length, mix of upper and lower case, numbers, punctuation, no dictionary words, no personal information, etc.) as outlined in this chapter may not be necessary after all.
This is because, according to security expert and TruSecure Chief Technology Officer Peter Tippett, statistics show that strong password policies only work for smaller organizations (Tippett, 2001). Suppose a 1,000-user organization has implemented such a strong password pol-icy.

On average, only half of the users will actually use passwords that satisfy the policy. Perhaps if the organization frequently reminds its users of the policy, and implements special software that will not allow users to have “weak” passwords, this figure can be raised to 90%. It is rare that such software can be deployed on all devices that use passwords for authentication; thus there are always some loopholes. Even with 90% compliance, this still leaves 100 easily guessed User/ID password pairs. Is 100 better than 500? No, because either way, an attacker can gain access. When it comes to strong passwords, anything less than 100% compliance allows an attacker entr´etothe system.

Second, with modern processing power, even strong passwords are no match for current password crackers. The combination of 2.5-gigahertz clock speed desktop computers and constantly improving hash dictionaries and algorithms means that, even if 100% of the 1,000 users had passwords that met the policy, a password cracker might still be able to defeat them. Although some user ID/password pairs may take days or weeks to crack, approximately 150 of the 1000, or 15%, can usually be brute-forced in a few hours.
In addition, strong passwords are expensive to maintain. Organizations spend a great deal of money supporting strong passwords. One of the highest costs of maintaining IT help desks is related to resetting forgotten user passwords. Typically, the stronger the password (i.e., the more random), the harder it is to remember. The harder it is to remember, the more help desk calls result. Help desk calls require staffing, and staffing costs money. According to estimates from such technology analysts as the Gartner Group and MetaGroup, the cost to businesses for re-setting passwords is between $50 and $300 per computer user each year (Salkever, 2001).
So, for most organizations, the following might be a better idea than implementing strong password policy: Simply recognize that 95% of users could use simple (but not basic) passwords—that is, good enough to keep a casual attacker (not a sophisticated password cracker) from guessing them within five attempts while sitting at a key-board. This could be four or five characters (no names or initials), and changed perhaps once a year. In practical terms, this type of password is equivalent to the current “strong” passwords. The benefit is that it is much easier and cheaper to maintain.
Under this scenario, a system could still reserve stronger passwords for the 5% of system administrators who wield extensive control over many accounts or devices. In addition, a system should make the password file very difficult to steal. Security administrators should also introduce measures to mitigate sniffing, such as network segmentation and desktop automated inventory for sniffers and other tools. Finally, for strongest security, a system could encrypt all network traffic with IPSec on every desktop and server.
Dr. Tippett states: “If the Promised Land is robust authentication, you can’t get there with passwords alone, no matter how ‘strong’ they are. If you want to cut costs and solve problems, think clearly about the vulnerability, threat and cost of each risk, as well as the costs of the purported mitigation. Then find a way to make mitigation cheaper with more of a security impact” (Tippett, 2001).
Passwords have been widely used in computing systems since the 1960s; password security issues have followed closely behind. Now, the increased and very real threat of cyber crime necessitates higher security for many net-works that previously seemed safe. Guaranteeing accountability on networks—i.e., uniquely identifying and authenticating users’ identities—is a fundamental need for modern e-commerce. Strengthening password security should be major goal in an organization’s overall security framework.

Basic precautions (policies, procedures, filtering mechanisms, encryption) can help reduce risks from password weaknesses. However, lack of user buy in and the rapid growth of sophisticated cracking tools may make any measure taken short-lived. Additional measures, such as biometrics, certificates, tokens, smart cards, and other means can be very effective for strengthening authentication, but the tradeoff is additional financial bur-den and overhead. It is not always an easy task to convince management of inherent return on these technologies, relative to other system priorities. In these instances, organizations must secure their passwords accordingly and do the best they can with available resources.
Access control The process of limiting access to system
information or resources to authorized users.

Accountability The property of systems security that enables activities on a system to be traced to individuals who can then be held responsible for their actions.

ARPANET The network first constructed by the Advanced Research Projects Agency of the U.S. Department of Defense (ARPA), which eventually developed into the Internet.

Biometrics Technologies for measuring and analyzing living human characteristics, such as fingerprints, especially for authentication purposes. Bio metrics are seen as a replacement for or augmentation of password security.

Birthday paradox The concept that it is easier to find two unspecified values that match than it is to find a match to some particular value. For example, in a room of 25 people, if one person tried to find another person with the same birthday, there would be little chance of a match. However, there is a very good chance that some pair of people in the room will have the same birthday.

Brute force A method of breaking decryption by trying every possible key. The feasibility of a brute-force attack depends on the key length of the cipher and on the amount of computational power available to the at-tacker. In password cracking, tools typically use brute force to crack password hashes after attempting dictionary and hybrid attacks to try every remaining possible combination of characters.

CERT Computer Emergency Response Team. An organization that provides Internet security expertise to the public. CERT is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. Its work includes handling computer security incidents and vulnerabilities and publishing security alerts.

Cipher A cryptographic algorithm that encodes units
of plaintext into encrypted text (or ciphertext) through various methods of diffusion and substitution.

Ciphertext An encrypted file or message. After plaintext has undergone encryption to disguise its contents, it becomes ciphertext.has undergone encryption to disguise its contents, it becomes ciphertext.

Crack, cracking Traditionally, using illicit (unauthorized) actions to break into a computer system for malicious purposes. More recently, either the art or science of trying to guess passwords, or copying commercial software illegally by breaking its copy protection.

CTSS Compatible Time Sharing System. An IBM 7094 time sharing operating system created at MIT Project MAC and first demonstrated in 1961. May have been the first system to use passwords.

Dictionary attack A password cracking technique in which the cracker creates or obtains a list of words, names, etc., derives hashes from the words in the list, and compares the hashes with those captured from a system user database or by sniffing.

Entropy In information theory, a measure of uncertainty or randomness. The work of Claude Shannon defines it in bits per symbol.
Green Book The 1985 U.S. DoD CSC-STD-002–85 publication Password Management Guideline, which defines good practices for safe handling of passwords in a computer system.

Hybrid attack A password cracking technique that usually takes place after a dictionary attack. In this attack, a tool will typically iterate through its word list again using adding certain combinations of a few characters to the beginning and end of each word prior to hashing. This attempt gleans any passwords that a user has created by simply appending random characters to a common word.

Kerberos A network authentication protocol developed at MIT to provide strong authentication for client/server applications using secret-key cryptography. It keeps passwords from being sent in the clear during network communications and requires users to obtain “tickets” to use network services.

MAC Message authentication code, a small block of data derived by using a cryptographic algorithm and secret key that provide a cryptographic checksum for the in-put data. MACs based on cryptographic hash functions are known as HMACs.

Moore’s Law An observation named for Intel cofounder Gordon Moore that the number of transistors per square inch of an integrated circuit has doubled every year since integrated circuits were invented. This “law” has also variously been applied to processor speed, memory size, etc.

Nonce A random number that is used once in a challenge–response handshake and then discarded. The one-time use ensures that an attacker cannot inject messages from a previous exchange and appear to be a legitimate user (see Replay Attack).

One-way hash A fixed sized string derived from some arbitrarily long string of text, generated by a formula in such a way that it is extremely unlikely that other texts will produce the same hash value.

One-time password Also called OTP. A system that requires authentication that is secure against passive attacks based on replaying captured reusable pass-words. In the modern sense, OTP evolved from Bell-core’s S/KEY and is described in RFC 1938.

Orange Book 1983 U.S. DoD 5200.28-STD publication,Trusted Computer System Evaluation Criteria, which defined the assurance requirements for security protection of computer systems processing classified or other sensitive information. Superseded by the Common Criteria.

Password synchronization A scheme to ensure that a known password is propagated to other target applications. If a user’s password changes for one application, it also changes for the other applications that the user is allowed to log onto.

Plaintext A message or file to be encrypted. After it is encrypted, it becomes ciphertext.
Promiscuous mode A manner of running a network device (especially a monitoring device or sniffer) in such a way that it is able to intercept and read every net-work packet, regardless of its destination address. Contrast with non promiscuous mode, in which a device only accepts and reads packets that are addressed to it.

Replay attack An attack in which a valid data transmission is captured and retransmitted in an attempt to circumvent an authentication protocol.
Salt A random string that is concatenated with a password before it is operated on by a oneway hashing function. It can prevent collisions by uniquely identifying a user’s password, even if another user has the same password. It also makes hash-matching attack strategies more difficult because it prevents an attacker from testing known dictionary words across an entire system.

SAM Security Account Manager. On Windows systems, the secure portion of the system registry that stores user account information, including a hash of the user account password. The SAM is restricted via access control measures to administrators only and may be further protected using SYSKEY.

Shadow password file In the Unix or Linux, a system file in which encrypted user passwords are stored so they are inaccessible to unauthorized users.
Single sign-on A mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems on which that user has access permission, without the need to enter multiple passwords.
Sniffing The processes of monitoring communications on a network segment via a wire-tap device (either software or hardware). Typically, a sniffer also has some sort of “protocol analyzer” which allows it to decode the computer traffic on which it’s eavesdropping and make sense of it.

Social engineering An outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to gain the information (e.g., user IDs and passwords) needed to gain access to a system.

SSH Secure Shell. An application that allows users to login to another computer over a network and execute remote commands (as in rlogin and rsh) and move files (as in ftp). It provides strong authentication and secure communications over unsecured channels.

SSL Secure Sockets Layer. A network session layer protocol developed by Netscape Communications Corp. to provide security and privacy over the Internet. It sup-ports server and client authentication, primarily for HTTP communications. SSL is able to negotiate encryption keys as well as authenticate the server to the client before data is exchanged.

SYSKEY On Windows systems, a tool that provides encryption of account password hash information to prevent administrators from intentionally or unintentionally accessing these hashes using system registry programming interfaces.


See Authentication; Biometric Authentication; Computer Security Incident Response Teams (CSIRTs); Digital Signatures and Electronic Signatures; Disaster Recovery Planning; Encryption; Guidelines for a Comprehensive Security System; Public Key Infrastructure (PKI); Secure Sockets Layer (SSL).


Brotzman, R. L. (1985). Password management guideline
(Green Book). Fort George G. Meade, MD: Department of Defense Computer Security Center.
Brown, A. (2002). U.K. study: Passwords often easy to crack. Retrieved 2002 from Web site: passwords/index.html

CERT Coordination Center (2002). Windows NT configuration guidelines. Retrieved 2002 from CERT Web site: tips/win configuration guidelines.html

Federation of American Scientists (FAS) (n.d.). Retrieved May 16, 2003, from 2000 hr/030200 mitnick.htm
Latham, D. C. (1985). Trusted computer system evoluation criteria (Orange Book). Fort George G. Meade, MD: Department of Defense National Computer Security Center.

Miller, G. A. (1956). The magical number seven, plus or minus two: Some limits on our capacity for processing information. The Psychological Review, 63, 81–97.

Salkever, A. (2001). Picture this: A password you never forget. Retrieved 2001 from Web site: 060.html

Sloane, N. J. A., & Wyner, A. D. (Eds.). (1993). Claude Elwood Shannon: Collected papers. New York: IEEE Press.
Tippett, P. (2001).

Stronger passwords aren’t. Information Security. Retrieved 2001 from TruSecure Corporation Web site: executive view.shtml

US v. ElcomSoft & Sklyarov FAQ. Retrieved May 23, 2003, from v Elcomsoft/us v elcomsoft faq.html
Zatko, P. “Mudge” (1999b). Vulnerabilities in the S/KEY one time password system. Retrieved 1999 from L0pht Heavy Industries, Inc., Web site: http://www.unix.geek.∼arny/junk/skeyflaws.html

Post Credited From Encyclopedia Of Communication & Internet

Source Encyclopedia Of Internet Page 43 to 48

Share With Your Friends in Social Networks Thanks For Your Visit

the Knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *