Making passwords secure

Passwords are the most common way to control access to computer systems

and networks. When system users can select their own passwords, they naturally

opt for easily remembered constructions. This leads to two related problems:

easily guessed passwords and the use of dictionary words.

When allowed complete freedom in choosing passwords, an astonishing

number of people choose some variation of their own name. A quick tour of

an organization's parking lot will usually yield a few vanity license plates,

which often turn up as passwords. On one network, security analysts found

that two users merely hit the return key when prompted to enter their passwords.

Sophisticated intruders, recognizing these proclivities, try such passwords

first when breaking into a system. They also try the default passwords set

by the manufacturers, realizing that a few system operators are still uninformed

or lazy enough not to have changed the default passwords.

If all else fails, determined hackers will try every word in a standard

diction-ary. This is not as difficult as it might sound because computers

are easily programmed to perform the trials. If the passwords are encrypted,

hackers will simply encrypt every word in the dictionary, spelled forward

and backward for good measure, and try them all. When a match is obtained,

a hacker can easily recover the word he or she had to encrypt to get the

match.

Experience shows that when personnel choose their own passwords, two-thirds

or more of the passwords can be recovered by a program that tries obvious

choices and dictionary words. Hackers don't even have to write these programs

because many are readily available on bulletin boards known to the hacker

community, and the programs are free.

Better passwords include a change of case (capital letters versus small

letters) and a mix in numbers and punctuation marks. Even so, hackers using

a sniffer (a tool designed by network engineers to capture packets as they

traverse a network) can watch from an intermediate node as a user logs onto

a distant host. Later the hacker can use the passwords captured by the sniffer

to impersonate the legitimate user.

The best passwords are ones that are used only once. In practice, one-time

passwords require a small computer called a token that provides a number

that changes every minute or so according to a complex mathematical algorithm

called a pseudorandom number generator (PNG).

The token is time synchronized with the access control server, which

has the same PNG running. When the user provides the number shown by the

token, the server knows what the number should be and can decide to allow

access or not. In another version that makes time synchronization unnecessary,

the server sends a challenge to the user requesting access, and the token,

when the challenge is entered, provides the response. The server knows how

the challenge is supposed to be converted into the response. In either case,

to gain access, users have to have a token that provides a different password

each time access is requested.

— Ryan is an attorney, a businessman and a member of the faculty of George

Washington University.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.