Hackers can crack most in less than a minute
By Rob Lemos
Staff
Writer, CNET News.com
May 22, 2002, 4:00 a.m. PT
When a regional health care company called in network
protection firm Neohapsis to find the vulnerabilities in its
systems, the Chicago-based security company knew a sure place to
look.
Retrieving the password file from one of the health care
company's servers, the consulting firm put "John the Ripper," a
well-known cracking program, on the case. While well-chosen
passwords could take years--if not decades--of computer time to
crack, it took the program only an hour to decipher 30 percent of
the passwords for the nearly 10,000 accounts listed in the file.
"Just about every company that we have gone into, even large
multinationals, has a high percentage of accounts with easily
(cracked) passwords," said Greg Shipley, director of consulting for
Neohapsis. "We have yet to
see a company whose employees don't pick bad passwords."
Fortune 100 corporations, small firms and even Internet service
providers with strong security have an Achilles heel: users who pick
easily guessable passwords. Some choose words straight out of
Webster's dictionary, others use a pet's name, and still more choose
the name of a secret lover. Many who think themselves tricky append
a digit or two on the end of their chosen word. Such feeble attempts
at deception are no match for today's computers, which are capable
of trying millions of word variations per second and often can guess
a good number of passwords in less than a minute.
Treasure trove of magic words
For network intruders,
that's a gold mine. Bad passwords don't necessarily make it easier
to break in to a company's network, but for hackers able to gain
access to a corporate computer by other means, they're a treasure
trove. Passwords discovered on one server will frequently open the
way to other servers, and with the digital keys to a large fraction
of the accounts on the network, an intruder can wander about with
impunity and with the appearance of being a legitimate user.
That's why network attackers grab passwords as soon as they can.
Some viruses and worms send an infected computer's password file
back to the creator. This week, a worm known as DoubleTap is doing
just that, squirming its way in to computers with Microsoft's SQL
Server 7.0 installed. The 1i0n worm, which spread among Linux
servers in early 2001, grabbed password files, and the SirCam
virus, in some cases, could send off the systems passwords as well.
Even the most paranoid security group and high-tech digital
fences can't do much if the CEO secures his critical files with
"god123." Worse, most companies and organizations still rely on a
password--and nothing else--to authenticate their employees.
In security circles, experts have been studying the problem for
decades.
In the pre-Internet Age of 1979, when storage was measured in the
number of bits that could fit on a foot of magnetic tape, a seminal
paper on password security found that a third of users'
passwords could be broken in less than five minutes.
A search to find an eight-character password of random letters
and digits would take 66 years on average for the big gun of the
day, the PDP-11/70, which could crunch through nearly 50,000
combinations a minute in a brute-force search.
Yet the study found that users almost invariably chose bad
passwords, leading to shortcuts for anyone attacking the security of
the system.
Of nearly 3,300 passwords examined, the paper's authors, Ken
Thompson and Robert Morris Sr., found about 17 percent consisted of
three characters or less, nearly 15 percent had four characters that
were a letter or a digit, and another 15 percent appeared in one of
the dictionaries available at the time. In total, nearly half the
passwords could be found in a search lasting less than six hours.
Make no mistake: An eight-character password could be very
secure, even if attacked by today's high-speed computers.
There are more than 6.6 quadrillion different eight-character
passwords using the 95 printable ASCII characters. Though some
password-cracking programs can test nearly 8 million combinations
every second on the latest Pentium 4 processor, breaking an
eight-character password would still take more than 13 years on
average.
In fact, operating systems have evolved in the past two decades
to increase the security surrounding passwords. At one time, anyone
could read the password file--the collection of encrypted keys for
the system's software locks--making it easy for a hacker to copy the
file for later cracking on their own computer system.
Now, operating systems typically allow only system administrators
access to read the encrypted passwords, forcing hackers to get
administrator rights on the system before they can grab the file. In
addition, "three strikes" login rules have become common, locking
out users who fail to provide the correct passwords in the first few
attempts.
Digital domino effect
While such defenses have made
hacking attempts based on repetitive password guesses using a list
of common words--known as a dictionary attack--less feasible, such
attacks are invaluable to hackers as a way of broadening access to a
network. A single server or PC breached by an intruder can yield
passwords reused on other systems in the network, bypassing the
security on the systems in a digital domino effect.
The only defense is to make passwords nearly impossible to guess,
but such strength requires that the password be selected in a
totally random fashion. That's a tall order for humans, said David
Evans, an assistant professor of computer science at the University
of Virginia.
"When humans make passwords, (they) are not very good at making
up randomness," he said.
Furthermore, because people usually have several passwords to
keep track of, locking user accounts with random, but
difficult-to-remember, strings of characters such as "wX%95qd!" is a
recipe for a support headache.
"The idea is to make something that is easy to remember but that
will make up a good password," he said.
Many security administrators focus their efforts on teaching
users how to use various mnemonics to create strong, but memorable,
passwords. A common technique takes the first or last letter of each
word in a saying or phrase familiar to the user. For example, by
using random capitalization and substituting some punctuation marks
and digits for letters, "Friends don't let friends give tech advice"
might become "fD!Fg7a."
The education doesn't seem to be sticking, and the password
problem is getting worse as the percentage of less-tech-savvy
computer users increases.
Giving away the keys
In a recent study by security firm
PentaSafe Security
Technologies, the company found that four out of five workers
would disclose their passwords to someone in the company, if asked.
That's the good news. Another study by the same company found
that nearly two-thirds of the workers polled at Victoria Station in
London gave the pollster their passwords when asked. Their reward? A
cheap pen.
Little wonder then that companies are becoming increasingly
worried that the keys to their information kingdom are being handled
so poorly.
"Passwords are one of the biggest security problems that
corporate America has," said Chris Pick, associate vice president
for product strategy at PentaSafe. "Employees should at least know
their company's password policy, but they don't."
In fact, potential intruders value a password far more than the
single computer it's protecting. A hacker who can get the password
list from a server or PC can use those passwords to gain access to
other computers on the network, bypassing all the high-tech security
erected to keep him out. Moreover, once an intruder has collected
the digital keys to a network, it's very hard for administrators to
lock him back out.
"There are some ISPs who have had 40,000 passwords stolen," said
Neohapsis' Shipley. "They are not going to tell all their users to
change their passwords." Doing so would only alert a hacker that he
has been detected, Shipley said, and the ISP has no way of knowing
if a legitimate user or the illicit trespasser has changed an
account's password.
"It's a support nightmare," Shipley said. "That's one hacker you
aren't getting out of the system."
The best solution is to not let them in. To block hackers,
security companies and researchers are increasingly focusing on
strengthening the weak link posed by passwords.
Many corporations have boosted user education, concentrating on
drilling their employees in the company's password policy. Such
policies determine what a valid password is, the minimum number of
characters in the string, and how often the keys to the account have
to be changed.
That still doesn't make the passwords any more memorable,
researchers say.
Picture this
"The human limitation with precise recall
is in direct conflict with the requirements of strong passwords,"
wrote University of California at Berkeley students Rachna Dhamija
and Adrian Perrig in a recent paper discussing the possibility of a
graphical password system called Deja Vu.
Dhamija and Perrig, as well as several other researchers, are
looking to capitalize on users' visual recall, rather than their
ability to memorize characters. Deja Vu creates collections of
digital art from which a user chooses several selections; then the
system trains the user to remember the selections.
Researchers at Microsoft, Lucent Technologies, New York
University and the University of Virginia, among others, have
studied techniques for creating graphical passwords.
Such systems have problems as well. While the resulting password
tends to be more random than one made of characters, the user
training has to be done in secret or others might be able to view
the sequence of images that make up the password. Moreover, the same
attributes that make graphical passwords easier to remember for the
user make them easier to pick up by, say, a not-so-friendly
co-worker looking over someone's shoulder, said Chris Wysopal,
director of research and development for digital security firm @Stake.
"Pictures are going to be easier to shoulder-surf than keyboard
passwords," Wysopal said, adding that weaknesses in how such
passwords are stored on the computer system could also make them
vulnerable to cracking attempts.
While research has focused on creating new types of passwords,
businesses are attempting to tackle the problem with software
products that allow a single, strong password to be used to access
all the services on a network. By letting users focus on just
memorizing a single password, the onus for security is on the
administrators who must force users to pick a strong password and
change it frequently.
This system has its own drawback, of course. A hacker able to
wheedle a single password from a user gains access to everything
that person had permission to use. That has many nervous companies
adopting so-called two-factor authentication, where the second
factor is a chip card or biometric. For the extremely security
conscious, three-factor authentication is available as well.
"If you want real high-level security," said University of
Virginia's Evans, "people can authenticate themselves with something
they know, like a password; something they have, like a smart card;
and something they are, like a biometric."
With fingerprint scanners and smart-card readers still not a
common option on computers, such technology isn't an immediate
solution, said Chris Christiansen, an analyst with market researcher
IDC.
"There is a huge, huge range of alternatives to passwords," he
said. "But nobody thinks passwords are going to go away."
Until better alternatives are adopted, the users--and the
passwords they choose--continue to be the greatest
vulnerability.