Making passwords secure
Passwords are the most common way to control access to computer systems
and networks. When system users can select their own passwords, they naturally
opt for easily remembered constructions. This leads to two related problems:
easily guessed passwords and the use of dictionary words.
When allowed complete freedom in choosing passwords, an astonishing
number of people choose some variation of their own name. A quick tour of
an organization's parking lot will usually yield a few vanity license plates,
which often turn up as passwords. On one network, security analysts found
that two users merely hit the return key when prompted to enter their passwords.
Sophisticated intruders, recognizing these proclivities, try such passwords
first when breaking into a system. They also try the default passwords set
by the manufacturers, realizing that a few system operators are still uninformed
or lazy enough not to have changed the default passwords.
If all else fails, determined hackers will try every word in a standard
diction-ary. This is not as difficult as it might sound because computers
are easily programmed to perform the trials. If the passwords are encrypted,
hackers will simply encrypt every word in the dictionary, spelled forward
and backward for good measure, and try them all. When a match is obtained,
a hacker can easily recover the word he or she had to encrypt to get the
Experience shows that when personnel choose their own passwords, two-thirds
or more of the passwords can be recovered by a program that tries obvious
choices and dictionary words. Hackers don't even have to write these programs
because many are readily available on bulletin boards known to the hacker
community, and the programs are free.
Better passwords include a change of case (capital letters versus small
letters) and a mix in numbers and punctuation marks. Even so, hackers using
a sniffer (a tool designed by network engineers to capture packets as they
traverse a network) can watch from an intermediate node as a user logs onto
a distant host. Later the hacker can use the passwords captured by the sniffer
to impersonate the legitimate user.
The best passwords are ones that are used only once. In practice, one-time
passwords require a small computer called a token that provides a number
that changes every minute or so according to a complex mathematical algorithm
called a pseudorandom number generator (PNG).
The token is time synchronized with the access control server, which
has the same PNG running. When the user provides the number shown by the
token, the server knows what the number should be and can decide to allow
access or not. In another version that makes time synchronization unnecessary,
the server sends a challenge to the user requesting access, and the token,
when the challenge is entered, provides the response. The server knows how
the challenge is supposed to be converted into the response. In either case,
to gain access, users have to have a token that provides a different password
each time access is requested.
— Ryan is an attorney, a businessman and a member of the faculty of George