How strong are your users' passwords?

People frequently overlook a basic element of Internet security: authentication. Oftentimes, authentication takes place after other network security layers are met. Most applications such as Telnet, File Transfer Protocol (FTP), and secured Web access use the common challenge-response method of authenticating a user: a username followed by a password. (Words of advice: Don't use Telnet across the Internet to a UNIX host, and encrypt files before using FTP if you want those files to be secure.)

Applications also use the challenge-response method to grant a user access to a particular application or system. Many applications use clear-text usernames and passwords for authentication and operation. Depending on other access controls and how secure you need to keep the information, this is a possible security issue.

Some authentication methods use a combination of sending a username and a password in one operation. These aren't challenge-response systems because there isn't a second step or "prompt" for a password. Technically, this is quite weak with regards to authentication. Here's an analogy: A challenge-response authentication system is like handing someone a ring of keys and asking them to find the right key for a lock. Direct authentication with a username and password in one operation gives that person the proper key and points them to the proper lock, simultaneously. (Note: This article focuses on "static" password authentication, as opposed to one-time password systems such as S/Key.)

There are probably dozens of ways operating systems and applications manage and store username and password pairs for authentication. A common form uses a clear-text username stored with an encrypted password. The challenge password is processed with a one-way cipher and then compared to the stored password; a "match" indicates proper authentication. Encrypting passwords is crucial to network security because it reduces the chance of an intruder obtaining hundreds or thousands of authentication pairs if there's a security breach.

Many UNIX systems use 56-bit Data Encryption Standard (DES) encryption for stored passwords. Older UNIX systems include the encrypted username and password information in the authentication control file, /etc/passwd. This file needs to be world-readable in order for UNIX users to view file permissions. With the advent of faster computers and "crack" programs, attacks on DES-encrypted passwords became a major security hole. To protect the /etc/passwd file on UNIX systems, current UNIX systems use two files, one of which holds encrypted passwords.

Windows-based systems also use encryption methods based on DES and MD4. Most of the same security concerns for UNIX systems apply for Windows systems. If someone can get the password "hashes" or capture packets on a LAN, then that person can use a password-cracking program to gain the authentication account passwords. One of the more "successful" password-cracking programs is L0phtCrack, which is famous for contradicting Microsoft's claims of password security in Windows NT. L0phtCrack was one of the first Windows-based password-crackers to have built-in support for interception of authentication information on a LAN. It also can obtain results quickly, making L0phtCrack an excellent password-auditing tool for Windows systems.

Stronger stored password encryption methods such as the MD4 and MD5 algorithms reduce the possibility of attacks on DES but don't eliminate these threats. There are a number of UNIX password crackers that administrators can use to audit UNIX systems, including Alec Muffett's "Crack" program. Administrators can use these programs to periodically audit UNIX systems in search of "weak" passwords.

A "weak" password is extremely vulnerable to "dictionary attacks." A dictionary attack is a simple (and statistically proven) way to obtain most passwords on a system. That's right: Most crackers figure out passwords by looking up common words in a dictionary. Simply encrypt each word in sequence and compare it to the stored encrypted password. A match is one more potential security hole. The number of dictionary attacks can decrease if users and administrators think of better (or "stronger") passwords. Passwords should contain a combination of letters and numbers and should change at regular intervals. Because, at some point, it's likely that someone will attempt to crack your password.