It's Probably Not! What's in a password? You know, that gobbledygook you have to type in to login to a network and even get your mail. Let's hope it's just that, gobbledygook. Let's look at why. Unfortunately even with automated logins, people change them to something they can more easily remember! I hope internet users, their Internet Service Providers (ISP's) along with their support personnel read this and take heed.

Unfortunately, there are those malcontents out there you take great pleasure in being electronic vandals of sorts. They like to find peoples passwords, log in to their accounts and cause general overall havoc. I won't go into how these little crackers get them but it's easier than you think on most systems. Here's some examples. You might find you may have all ready been a victim.

• Case 1. Did you ever go to log in and find that you couldn't and the system told you it was because your password was invalid, yet you knew you were using the right one?
• Case 2. Did you ever find your monthly bill a lot higher than what you knew it should have been from your Internet Service Provider (ISP)?
• Case 3. Have you ever received a lot of hate mail or complaints about e-mail you never wrote but people say it was from you?
• Case 4. Did you log on and find all your files missing or deleted. You know, things like your website files, or everything, etc.?

If you have been victim to any of the above, the odds are it was because someone stole your password! Before you go hollering to your ISP, please understand that in most cases passwords are encrypted so no one to include your ISP can look at them. So how do people steal them if they are encrypted?

I won't go into the details except to say it can be time consuming at worst yet it can also be relatively easy. I say relatively easy because it's the users themselves that can make breaking them very easy at times because of the passwords they choose when they change them.

Here's the flaw in the system. The user. Normally the ISP provides you with a password that's typically 7-8 or more characters of gobbledygook. This is intentional.

Why, you ask. It's because of the way electronic vandals break encrypted passwords. They typically use lists of commonly used names, words, phrases, numbers, and other items that make sense to most people. This list may contain as few as 8,000 common passwords and generate a success rate of over 10% on many systems. This is because people like to have a password that can be easily remembered like a name instead of gobbledygook. That's the pitfall. With rare exceptions, most of you won't sacrifice a little inconvienience for your own security. We'll get into what you can do in a minute. The problem is these commonly available lists can narrow a crackers quesses at a common password to just a few minutes of their time for one user or maybe even a couple hours work on an entire system. You have to understand that even if the lists used contained several million items of commonly used names, numbers, places, phrases, etc., no matter what language or how long your password, it will be successful to some degree by the cracker with them using little time. See the rules presented later.

Let's look at why you need to keep the gobbledygook. This is a little techical but if you like numbers, it can be fun. It will also illustrate some facts to help you keep a relatively secure password without fear of it being easily stolen.

Let's look at a password. It's usually a series of letters, numbers, and sometimes special charactors. In the case of the letters, they usually be Upper and lowercase and the difference recognized on most systems. This typically gives us what can be called a character set consisting of 72 usable (A-Z,a-z,0-9,+10 special chars.) characters if all can be used. If we simply used only Upper OR lowercase only, then the Charset is only 26.

Next we have something called permutations or possibilities. It is based upon the length of our password combined with the length of your password. For example, a password using only Upper or lowercase letters (charset = 26) and a length of 6 means we only have to go through 308,915,776 permutations before we have used every possible combination in the worst case. With today's PC's, this is no hard task even if running in the background. However, if you used a combination of Upper and lowercase, numbers, and special characters like !@#$%^&*() (charset = 72) and still 6 characters long, there's now 139,314,069,504 permutations. Still not to big a task if you are willing to wait possibly a few days or so for the results using a high end system. The point being, it's still relatively easy to break.

Now let's look at getting these numbers way out of hand where it would take YEARS to find your password at best. First let's use charset72. Now use a password only 10 positions long. There are now a whopping 3,743,906,242,624,487,000+ permutations for your password. There's strength in numbers!!! I don't care what PC you have, this will take years to find providing you follow a few rules. This is all great in theory except we have an exception here. A large majority of ISP's are running Linux/Unix based boxes. This being the case, for these systems you are technically limited to a password only 8 characters long at most. You may give a 32 character long password but everything after the first 8 characters is ignored. Unfortunately a false sense of security.

Just remember the above numbers will NOT help you if you don't follow the following rules.

• 1. Never, never, never use a password less than six(6) characters long. Seven(7) is better and eight(8) is best.
• 2. Never, Never, Never use a name or variation thereof no matter what language or however obscure you think it is alone. I can guarantee you it's in a commonly used list.
• 3. Never, never, never use any word that may appear in any dictionary no matter what the language alone. Even German with many words typically over 20 characters long has a list.
• 4. Like names, never use numbers like birthdays and zip codes alone. They're in lists also. While SSN's and credit card numbers are unique and not in lists yet per se, don't use them. e.g. If I ever guess that number, I can now literally do anything I want to control or destroy you if I was a bad guy!
• 5. Basically, don't use anything of any literary value alone. There's lists to use movie names and charactors, books, mythilogical charactors, you name it, it's there.
• 6. Don't use common keyboard sequences like the middle row of asdfghjkl or variations thereof alone. They are also in lists.
• 7. Don't use Upper or lowercase only. Mix them up. I'll find - Snoopy - in maybe a few minutes. However if you used - SnOoPy - it will take a lot longer to find it. Related to mixing case, and 2 and 3 above, never take a word and prefix or suffix it with a number. It's to easy to find.
• 8. If in a business and/or public environment, Never, Never, Never, write down your password anywhere around your PC. This includes saving it in a seperate file somewhere on the system.

---

PLEASE DO'S !!!

• 1. I stressed the word alone above. Providing you are reasonably secure and don't believe you will have a specific attack at your password such as a business might, you can probably get away with combining and mixing the DON'Ts together and receive an unbreakable result. e.g. If you combined several names and numbers and mixed case and maybe added a - in the sequence, unless the person attacking your password personally knew you, it would be resonably secure. e.g. K1a9T6y2-*** would be good. To you it might mean Katy born in 1962 who you rate as 3 stars and easily remembered by you! It's a lot better than katy1962-*** which would probably be found without much effort. See the picture here. Another way as it was pointed out to me is remember a sentence. "Joe Doe is one cool dude too" could be turned into a password of "JDi1cD2". Remember to mix case. If it looks like it makes sense, it probably does and will be easily broken. If you have to force the cracker to a brute force approach, it'll take quite some time. By then it has changed again and they have to start over!!! *-)).
• 2. If your current password is less than 8 characters/positions long and seemingly, truely random, change it. Nothing drastic, simply keep the present gobbledygook and add a charactor or 2 every so often. Each time you do, it'll become that much harder to break. Don't forget to change it system wide to include your in the PPP interface and mail software on fully automated systems.
• 3. If your current password is 8 or more characters in length, you can probably keep it and feel secure unless you think you will be attacked. The exception being commercial online services like AOL, Compuserve, etc. who use a pattern to their passwords which you feel is secure. e.g. apple:market is not secure by any means. However, ApPlE/MaRKet/19xx would be reasonably secure if you insist on using their given password.
• 4. Change your password periodically. Yes, it's a pain, but you really need to do it. There's no way to know if someone wants yours, but don't make it easy like using bob as your password.
• 5. For those that tend to be paranoid and don't trust their creativity in creating more or less random passwords, get a password generation program. There are many on the market. If you can't find one, let me know via e-mail to wdirks@sirinet.net. I will get one to you that I wrote via a disk by snail-mail. Also see the info that follows.

---

Plain Old Salt, Technical Talk

• For those that must know, here's a little walk thru the crypt() door. ISP's and their support personnel, please read carefully. This may seem like old hat but bear with me in case you do see something new *).
• As previously mentioned, on Linux/Unix systems, or systems using the C crypt function to protect passwords, these are normally encrypted so the bad guys can't see what it really is. Crypt is normally only used by the good guys. But for you to do things like change your password and even login, it has to be available to verify your password.
• Explained a little more clearly, the user file stores the encrypted version of the password called the salt. When feeding both the given password and the salt back to crypt, a result is returned. If the result equals salt, we have a match. Conversely, during password encryption/generation a similar process occurs except salt is provided by the password generation portion during makeuser. Here's where a flaw sometimes occurs.
• Makeuser on some systems doesn't generate seem to generate enough salts to accomadate the user base. This leads us to a situation where on larger systems where the same salt, alas password key, is now generated more than once. If few people change their password, there's now a fair amount of like passwords in various groups that are identical. Hint: Sort password on salt and look at the result to see if you are victim. Solution: Hack makeuser to generate more salts or if really ambitious, make it meet orange book standards. If you go the orange book route, you'll find you now have in itself a password generater possibly better than what you started or now practicing a form of double encrytion which in itself is very secure (Watch your passwd salt pattern disappear!)
• That's about it for now. I don't want to give the bad guys more ammo to possibly use. Please understand, the encryption by itself is basically secure. However, if the users insist on using simple passwords like "bob" and Linux/Unix based ISP's haven't beefed up makeuser, their will be a security problem.

Here's a freebie for ISP's reading this. This regards Perl. While many of you can't survive without it, along with your users, rest easy by doing this to prevent your own resources being used against you. Have two(2) copies of Perl on the system. All systems functions/scripts use the full version! Users can write their scripts for guestbooks and the like based on a remaked version minus crypt() and related functions. The remade version is user accessible. The system version is kept elsewhere. This is easy to change since you only need to change one line in the vast majority of cases, in those system scripts you made to accomadate the users. This/your secure copy should reside in a directory at or one level/group below root so everything still functions as intended unless you have a really weird setup.

---

* Additional Info *

For the average user, I have a Dos based program that runs under Dos, Win 3.x+ as a Dos task, and in OS/2 2.0+. It generates passwords to the point it was accepted by the US Army at one post over 10 years ago and still in use to a certain degree. If not the original code but it's methodology (e.g. Orange Book standards for password creation). I have updated it to work in today's environment e.g. present PC power. E-mail me at wdirks@sirinet.net for info on how to acquire it.




For ISP providers and their support personnel on Linux/Unix based boxes, I have a script and files you can use periodically to cull your files of quite a few bad/common passwords your users may have put in place. Again, E-mail me at wdirks@sirinet.net for specifics. Additionally, IF you want a Perl script, or other program to generate your passwords meeting orange book standards and breaking the Linux/Unix 8 char limit, please let me know. I would like a project like this to tackle. I can't be openly commercial but I know it can be done to make systems more secure. I simply want to help as indirectly it affects even me, and many other peoples security and livelihood.




A special thanks to John Johnson who pointed out a few things I should have added and/or made clearer.

---

• Back to Bill's Home Page

• Back to Sirinet Home Page

Copyright 1997, William(Bill) Dirks.