A survey of password mechanisms.
While research continues on more sophisticated methods of authentication, password mechanisms remain the predominant method of identifying computer system users. In order to implement an authentication mechanism, one must determine what information will be used to validate a user. Whatever that information is, it can be described by one or more of the following categories:
* something the user knows * something the user has * something the user is.
AUTHENTICATION BASED ON
WHAT THE USER KNOWS
The first method, certainly the most common method used in computer systems today, requires the user to provide information or responses to questions. Usually, this involves asking the user a question, then checking the reply against a reply stored in the system; if there is a match, the user is validated.
False positive identifications are the biggest problem with the what-the-user-knows method. Once a perpetrator knows the answer(s) to the question(s), the system has been compromised and will remain so until the answers (and perhaps the questions) are changed. The frequency of false negative identifications, as well as user burden, depends on the responses users must provide to the system; it is usually as simple as entering a string of characters. The cost of implementation is relatively cheap; storage of the questions and the answers used plus minimal CPU time is all that is required.
AUTHENTICATION BASED ON
WHAT THE USER HAS
The second method of user authentication, common to most mechanisms outside of those used for computer systems, entails the possession of an object. Keys, identification badges, magnetic cards - tokens of some sort must be shown to the authentication mechanism for the user to be granted access.
Using tokens rather than user knowledge as proof of identity results in fewer false positive identifications, as a perpetrator must possess a physical object (or fabricate one) to be authenticated. However, when used as the only means of authentication, the what-the-user-has method can be compromised by someone losing a valid token. The frequency of false negative identifications depends on the tokens used; most likely a key will always work, while a magnetic card may get creased and not authorize a valid user. User frustration and system expense also will vary with the type of hardware used, although in the case of a computer system, authentication hardware continues to be expensive and sometimes clumsy to use.
To strengthen what-the-user-has methods of authentication, what-the-user-knows methods are typically added, such as requiring a code to use the token. Automated teller machines (ATMs) are a common example. ATM users wanting to access their accounts must usually present a magnetic card and a personal identification number (PIN) before transactions can be made on the account.
AUTHENTICATION BASED ON
WHAT THE USER IS
The third method of user authentication, perhaps the most secure and expensive, requires the authentication device to measure some physical characteristic of the person being identified. Biometrics, or the measurement of physical characteristics (face recognition, fingerprints, voiceprints, hand geometry, retina scans, signatures, muscular-skeletal response, etc.), can be used to measure "what the user is."
Perhaps the most appealing aspects of such authentication systems are the enormous quantity of "information" contained in such physical measurements (as opposed to, for instance, passwords) and the difficulty in forging such measurements. However, where in a what-the-user-knows mechanism, the answer to a question can be made to be an absolute, physical identification techniques have to be forgiving to some extent. Because of this "give" built into the system, trade-offs between false positive and false negative identifications become an important design concern.
While biometric systems may now be expensive, cost may not be the main obstacle to their acceptance. User frustration may be the biggest factor in determining the popularity of such authentication mechanisms. With the false negative problems inherent in biometric systems, frequent users who access many systems or systems that require more than log-in time identification may find biometric systems quite cumbersome. It remains to be seen if such authentication systems become affordable and easy to use.
THE ELEMENTS OF A
In order to determine password mechanism weaknesses, one must first understand what makes up such a system.
Composition - The security of a password system depends on how difficult it is for a perpetrator to determine a valid password. The composition of a password is the first of three factors that determine how difficult it is to guess. As the selection of characters from which valid passwords are constructed (character space) increases in size, so does the number of possible passwords.
While the character space available in some password systems is restricted to the digits (0-9) because of the entry device used (i.e., telephones, automatic teller machines), computer system passwords usually have a much larger character space available to them - the printable ASCII character set. Unfortunately, users tend not to use a wide variety of symbols in their passwords, many times using only the lower case alphabet. Simply including one or more control characters or special symbols in a password can frustrate would-be penetrators.
Making the penetrator's job even easier is the tendency for users to select real words or names as passwords. Not only does this practice make little use of character space, it also drastically limits the number of guesses a penetrator has to make. Words found in a dictionary, for instance, are poor passwords. Knowledge about a user can provide valuable clues to a penetrator, so passwords that have personal significance should be avoided. Among the list of passwords to avoid are birthdays, names of relations, initials, social security numbers, street addresses, slang, profanity, car names and musical group names.
Length Password - Length is closely associated with composition when it comes to evaluating protection against an exhaustive attack. Password length provides an absolute bound to the number of possible passwords in a system. Knowing the composition of allowable passwords, one can compute the number of possible passwords allowed by a particular system by:
[(size of character space).sup.(length of password)]
One sees, then, that small increases in length can dramatically increase the number of possible passwords. It would seem that passwords should be as long as possible. However, users must be able to remember their passwords; password composition could suffer if long passwords are enforced in a system. Password length also affects the implementation of the mechanism, particularly when considering how and where to store the passwords.
Lifetime - Passwords that remain unchanged for a long time (for instance, passwords for life and deauthorized accounts) are susceptible to undetected compromise. However, users tend not to change their passwords very often, especially users with several different passwords to remember. The recommended lifetime of a password, or how long the password should remain valid, depends on many variables:
* the cost of replacing a password * the risk associated with compromise * the risk associated with distribution * the probability of guessing a password * the number of times a password has been used * the work of finding a password using exhaustive trial and error methods.
It is argued that frequently changing passwords frustrates exhaustive attacks by a perpetrator. That is, if a password remains valid for a short enough time, it will have been changed by the time an exhaustive attack would have guessed the original password. By measuring password composition, length and lifetime, it is argued that one can estimate the probability of a password being guessed:
* let P be the probability a password can be guessed within its lifetime * let L be the password lifetime * let R be the number of guesses per unit time * let S be the number of possible passwords (see earlier formula). The relationship among these parameters is expressed by:
P = LR/S
Using this relationship, one can formulate a strategy for placing restrictions on password composition, length and lifetime given the security (or probability of guessing the password) desired.
Source - While the first three items discussed are concerned with making the password string hard to guess, the remaining seven items describe aspects of the actual password mechanism or handling of the passwords. The source, or creator, of the password is the fourth concern. A password should be generated by one of three sources:
* the user * the system security officer (SSO) * the password mechanism itself.
If users select their own passwords, decisions must be made as to what constraints to place on allowable selections. If the SSO creates and assigns passwords, then policy enforcement is the responsibility of the SSO. If the password mechanism generates the passwords, it is then responsible for enforcing password selection policy, as well as trying to generate passwords that users are willing to use. Therefore the source of the password directly affects mechanism security, as the implementation of policy enforcement procedures depends on the generator of the password.
Ownership - Ownership of a password for personal authentication should be held only by the user the password identifies, and no one else, even if several users need to access the same information. This permits the system to:
* establish individual accountability for resource usage * establish illicit use/loss of a password * maintain an audit trail of activities for each system user * avoid the need to change an entire group when a single member has a change in privileges.
While this may seem obvious, it is a fact that users will share or loan out their passwords. Requiring each user to have an unshared password protects the user in the event that system security is breached. If a group is sharing a password, innocent users may be held accountable for the inappropriate actions of one user.
Distribution - At password selection or change time, the distribution of new passwords becomes an issue. Passwords need to be distributed in a manner such that the owner of the password is the only one to see or obtain the password. In a classroom situation, where computer accounts are handed out at the beginning of the semester, it is all too easy to catch a glimpse of other users' accounts and passwords if appropriate measures are not used in distributing that information. If a user is changing a password at a terminal, it may be possible for someone to see the user type the password, or perhaps the password is displayed on the screen as the user enters it; both are implementation problems that deal with the distribution of the password string. The auditing of password assignments and changes are also part of the distribution problem. If the system is to maintain a record of password assignments and changes, it should not be possible to use that information to determine a user's password.
Storage - In order for a password mechanism to determine whether a user has entered a correct password, the mechanism must know the correct user/password pairs. The mechanism must protect this information to minimize disclosure or unauthorized replacement. Storage policies must address two issues:
* where the information should be stored * the format in which the passwords should be stored.
Password mechanisms have three basic possibilities when it comes to deciding where to store the password information:
* in a file * in a "non-file" * on another machine.
If the mechanism is to store the password information in a simple file, then steps must be taken to ensure that only authorized individuals or system processes can access the file. File system access controls can help here, but if they are breached, every account on a system might be compromised. Storing the information in a "non-file," like a section of protected memory or a non-file system portion of a disk, may make accessing password information more difficult, but may still be vulnerable to a knowledgeable penetrator. Using another machine as an authentication server is another alternative, but now the compromise of the server machine could result in the compromise of every computer system it serves.
Making the password information unreadable is another alternative to simply denying access to it. Encrypting the password information can be used to ensure that even if an intruder manages to gain access to the information, the passwords are not exposed. Hence, the encryption technique should be strong enough to prevent disclosure of the password due to any attack other than an exhaustive search.
Combining password file protection and encryption can improve security further, preventing (or at least making more difficult) chosen plain-text attacks. Even when encryption is used, the password file may still contain information useful to a penetrator. The principle of "least privilege" could be applied, denying nonauthorized users access to the system password file even when encryption is used.
Entry - What and how information is entered or exchanged between the system and the user at authentication time must be considered when examining the security of a password mechanism.
Transmission - The transmission of the password from the user to the system at password entry time is another concern. No matter how good the password mechanism is at hiding the password, no matter how good the choice of password is, if a perpetrator is tapping the communications line, it is only a matter of time until a password is discovered. Tricking novice users with false log-in programs that steal passwords is another way of abusing insecure communication lines. Such programs point out another transmission concern: how do users know if they are really communicating with the host? Outside of using secure and/or encrypted communication lines, the insecure transmission of password information can be a serious weakness in any password mechanism.
Authentication Period - The final element of password mechanisms is concerned with the period of time that a particular authorization should be valid, or the authentication period. Abruptly terminating an interactive session after an arbitrary period of time may cause warranted hostility in a user who was in the middle of editing a file. However, a computer system with a limited number of ports may suffer if users stay connected when not active. A typical solution to the authentication period problem is to terminate a session after several minutes of inactivity, trying to save or preserve any work the user had in progress.
PASSWORD SECURITY: A CASE
The classic 1979 paper by Morris and Thompson  describes the history of the Unix password mechanism, from its initial design to the basic mechanism used today. A method of attacking an early version of the Unix password system is discussed, with some interesting results. The original mechanism worked as it does today, but used a less sophisticated encryption algorithm. The method of attack was to encrypt a list of password guesses, and compare the encrypted guesses with the encrypted password fields of the system password file, since the system password file was readable by any user.
The original encryption algorithm used was "far too fast," making an exhaustive search feasible; the time to check all possible passwords of length five or less using all 128 ASCII characters was less than 100 hours, using a relatively slow machine. A more "profitable approach" than exhaustive search would be to use a well-chosen list of words as possible password strings. Mentioned sources for these words were:
* a large commercial dictionary * the reverse spelling of words in the dictionary * a list of first names, last names, street names, and cities * all the above, but with the first letter in upper-case * valid license plate numbers * room numbers, social security numbers, telephone numbers "and the like."
In an effort to determine the "typical user's" habit in the choice of passwords, the authors collected 3,289 passwords over a period of time. The results were "disappointing," in that 86% of the passwords collected were found in one of the above mentioned sources of password guesses.
METHODS TO IMPROVE
Password Generators - A password generator is a program that creates strings to be used as passwords. Such programs are made available on systems in an effort to ensure "good" password choices. However, how to design a password generator that produces passwords that are both difficult to guess and easy for the user to remember is not immediately apparent. While it is easy to generate random strings to be used as passwords, they most likely will not be easy for a user to remember. Also, password generators that are not sufficiently random in the method in which they select passwords may be limited in the number of passwords they can generate.
A password generator that can produce pronounceable passwords is desirable, as pronounceable passwords are more likely to be easily remembered than a random string of characters. Such a system depends on a set of rules that "define" what pronounceable means. Typically, a random number generator is used to select random letters or groups of letters that are considered pronounceable. These groups of letters are then concatenated to form the password. While the resulting "word" may not be recognizable, it should be pronounceable in the way it is constructed.
Password Monitors - A password monitor is a program that "grades" a user's choice for a password based on how likely it is that the password could be guessed. Such programs are usually incorporated into the password changing program, so that when users try to select a poor password, the system will reject it.
Monitoring programs have the same effect on users as password generators. If the monitor programs accept only random characters as passwords, users will not be able or willing to commit the passwords to memory and will instead write them down. Allowing these programs to accept rememberable passwords, while discarding obvious ones, is the key to a successful monitoring program.
Encryption - Storing the password file as plaintext, depending on the operating system or file system to protect access to the file, may result in every account being compromised if a penetrator manages to retrieve a copy of the password file. With the availability of strong encryption algorithms like the Data Encryption Standard (DES), encryption has become a part of most password mechanisms. Using encryption, penetrators no longer have to simply manage to get a copy of the password file; now they have to decipher the information or perform an exhaustive search.
Systems have two methods of using encryption to protect their password information: two-way encryption and one-way encryption. The main difference between password mechanisms using two-way encryption and those using one-way encryption is how the mechanism uses the system password file information to validate the user. In a two-way system, password information is encrypted with a secret key when it is stored. Then when a user enters a password to log in, the password file information is decrypted with the secret key and compared with the password that was entered.
In a system using one-way encryption, password information is also stored in the system password file in an encrypted format, never to be decrypted. A password system utilizing one-way encryption would encrypt the password with a secret key before storing it, or would use the password as a key to encrypt some constant. When a user attempts to log in, the encrypted password is not decrypted (hence, one-way encryption); rather, the password entered is encrypted and compared with the stored, encrypted password.
Auditing - Auditing, when used with password mechanisms, is used to record events that occur during authentication attempts. Information collected by auditing software includes:
* successful log-in and log-out information * unsuccessful log-in information * successful password changes * unsuccessful password changes * number of currently active sessions.
Using this information provides a method of detecting a perpetrator using a stolen account, as well as attempted break ins. Audit information can also be used to deactivate a port or a user name if a high rate of authentication failure is detected.
Handshaking/Secondary Passwords - Handshaking and secondary passwords require a user to enter multiple responses at log-in time. Rather than asking the user for a password, a handshaking system might ask a series of questions at authentication time. If different questions are used for each user, handshaking is also a way for the host to identify itself to the user. Such systems can significantly increase the work for a penetrator, as now there are several responses that the penetrator must guess. It can also frustrate valid users, because of the time required to log in, as well as having several responses to remember.
Secondary passwords can also be used to require a password for specific resources. A typical application for secondary passwords is for authentication on ports connected to modems. Such secondary passwords require a perpetrator logging in over a modem line to get past two passwords instead of one.
Pass-Phrases/Key Compression - Rather than forcing a user to come up with a secure but easy-to-remember short password, some systems have implemented support for pass-phrases and key compression. Simply put, pass-phrases are long passwords.
Recalling that password space grows exponentially as length increases, pass-phrases trade password composition for password length. Thus pass-phrases can be selected from a smaller character space, typically that of the alphabet. Hence, while computing password space for a pass-phrase, the number of possible "phrases" is counted, rather than the number of possible character combinations. For example, assume that pass-phrases are four-word phrases, each word selected from a dictionary of 25,000 words. Then, the password space of such pass-phrase is computed as:
[Mathematical Expression Omitted]
Compare this result with the number of possible 56-bit DES keys:
[Mathematical Expression Omitted]
In order to support these long passwords, but still use them with the DES and other encryption algorithms, key compression is used. Before using a pass-phrase as a DES key, it must be compressed into a 64-bit block. Also, as in the case of simple passwords, pass-phrases may need to be checked for triviality; choices like "Mary had a little lamb" will most likely be guessed.
Password Aging - Password aging, or the enforcement of a maximum password lifetime, is one method of automatically forcing users to change their passwords. Such mechanisms can typically enforce a minimum and a maximum amount of time between password changes.
While password aging may seem like a good idea, many argue that it is counterproductive. Users do not like to change passwords; systems requiring them to do so may cause frustration. Mechanisms that do not warn of an upcoming expiration of the password can actually decrease security, as such a mechanism may suddenly demand that a new password be set. Suddenly demanding users to change their passwords will probably not result in the best password choice, and most choices likely will be written down as well. Systems supporting minimum lifetimes can actually stop users from changing their passwords. Minimum lifetimes are primarily used to keep a user from "cheating" the aging system by changing to a temporary password, and then back to the old one.
It's quite possible the correct conclusion is that typed-in passwords are fundamentally hopeless (as a means of authenticating users) .... 
REFERENCES [1.] R. Morris and K. Thompson, "Password Security: a case history," Unix System Manager's Manual, SMM #18, 4.3 Berkeley Software Distribution Manuals, Computer Systems Research Group, UC Berkeley, Apr 1986. [2.] B. Stein, "Re: Password Protection," USENET posting in comp.unix.wizards, Message-ID: 17994adm. BRL.MIL, Jan 1, 1989.
David L. Jobusch is an engineer with the Colorado Unix Networking Laboratory of Hewlett-Packard Co.
Arthur E. Oldhoeft is a professor of computer science at Iowa State University.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||EW Design Engineers' Handbook & Manufacturers Directory|
|Author:||Jobusch, David L.; Oldhoeft, Arthur E.|
|Publication:||Journal of Electronic Defense|
|Date:||Jan 1, 1992|
|Previous Article:||The threat of information theft by reception of electromagnetic radiation from RS-232 cables.|
|Next Article:||Misread signals.|