Fortune 100 corporations, small firms and even Internet service providers with strong security have an Achilles heel: users who pick easily guessable passwords.
Hackers can crack most in less than a minute
By Rob Lemos
When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look.
Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file.
"Just about every company that we have gone into, even large multinationals, has a high percentage of accounts with easily (cracked) passwords," said Greg Shipley, director of consulting for Neohapsis. "We have yet to see a company whose employees don't pick bad passwords."
Fortune 100 corporations, small firms and even Internet service providers with strong security have an Achilles heel: users who pick easily guessable passwords. Some choose words straight out of Webster's dictionary, others use a pet's name, and still more choose the name of a secret lover. Many who think themselves tricky append a digit or two on the end of their chosen word. Such feeble attempts at deception are no match for today's computers, which are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.
Treasure trove of magic words
That's why network attackers grab passwords as soon as they can. Some viruses and worms send an infected computer's password file back to the creator. This week, a worm known as DoubleTap is doing just that, squirming its way in to computers with Microsoft's SQL Server 7.0 installed. The 1i0n worm, which spread among Linux servers in early 2001, grabbed password files, and the SirCam virus, in some cases, could send off the systems passwords as well.
Even the most paranoid security group and high-tech digital fences can't do much if the CEO secures his critical files with "god123." Worse, most companies and organizations still rely on a password--and nothing else--to authenticate their employees.
In security circles, experts have been studying the problem for decades.
In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that a third of users' passwords could be broken in less than five minutes.
A search to find an eight-character password of random letters and digits would take 66 years on average for the big gun of the day, the PDP-11/70, which could crunch through nearly 50,000 combinations a minute in a brute-force search.
Yet the study found that users almost invariably chose bad passwords, leading to shortcuts for anyone attacking the security of the system.
Of nearly 3,300 passwords examined, the paper's authors, Ken Thompson and Robert Morris Sr., found about 17 percent consisted of three characters or less, nearly 15 percent had four characters that were a letter or a digit, and another 15 percent appeared in one of the dictionaries available at the time. In total, nearly half the passwords could be found in a search lasting less than six hours.
Make no mistake: An eight-character password could be very secure, even if attacked by today's high-speed computers.
There are more than 6.6 quadrillion different eight-character passwords using the 95 printable ASCII characters. Though some password-cracking programs can test nearly 8 million combinations every second on the latest Pentium 4 processor, breaking an eight-character password would still take more than 13 years on average.
In fact, operating systems have evolved in the past two decades to increase the security surrounding passwords. At one time, anyone could read the password file--the collection of encrypted keys for the system's software locks--making it easy for a hacker to copy the file for later cracking on their own computer system.
Now, operating systems typically allow only system administrators access to read the encrypted passwords, forcing hackers to get administrator rights on the system before they can grab the file. In addition, "three strikes" login rules have become common, locking out users who fail to provide the correct passwords in the first few attempts.
Digital domino effect
The only defense is to make passwords nearly impossible to guess, but such strength requires that the password be selected in a totally random fashion. That's a tall order for humans, said David Evans, an assistant professor of computer science at the University of Virginia.
"When humans make passwords, (they) are not very good at making up randomness," he said.
Furthermore, because people usually have several passwords to keep track of, locking user accounts with random, but difficult-to-remember, strings of characters such as "wX%95qd!" is a recipe for a support headache.
"The idea is to make something that is easy to remember but that will make up a good password," he said.
Many security administrators focus their efforts on teaching users how to use various mnemonics to create strong, but memorable, passwords. A common technique takes the first or last letter of each word in a saying or phrase familiar to the user. For example, by using random capitalization and substituting some punctuation marks and digits for letters, "Friends don't let friends give tech advice" might become "fD!Fg7a."
The education doesn't seem to be sticking, and the password problem is getting worse as the percentage of less-tech-savvy computer users increases.
Giving away the keys
That's the good news. Another study by the same company found that nearly two-thirds of the workers polled at Victoria Station in London gave the pollster their passwords when asked. Their reward? A cheap pen.
Little wonder then that companies are becoming increasingly worried that the keys to their information kingdom are being handled so poorly.
"Passwords are one of the biggest security problems that corporate America has," said Chris Pick, associate vice president for product strategy at PentaSafe. "Employees should at least know their company's password policy, but they don't."
In fact, potential intruders value a password far more than the single computer it's protecting. A hacker who can get the password list from a server or PC can use those passwords to gain access to other computers on the network, bypassing all the high-tech security erected to keep him out. Moreover, once an intruder has collected the digital keys to a network, it's very hard for administrators to lock him back out.
"There are some ISPs who have had 40,000 passwords stolen," said Neohapsis' Shipley. "They are not going to tell all their users to change their passwords." Doing so would only alert a hacker that he has been detected, Shipley said, and the ISP has no way of knowing if a legitimate user or the illicit trespasser has changed an account's password.
"It's a support nightmare," Shipley said. "That's one hacker you aren't getting out of the system."
The best solution is to not let them in. To block hackers, security companies and researchers are increasingly focusing on strengthening the weak link posed by passwords.
Many corporations have boosted user education, concentrating on drilling their employees in the company's password policy. Such policies determine what a valid password is, the minimum number of characters in the string, and how often the keys to the account have to be changed.
That still doesn't make the passwords any more memorable, researchers say.
Dhamija and Perrig, as well as several other researchers, are looking to capitalize on users' visual recall, rather than their ability to memorize characters. Deja Vu creates collections of digital art from which a user chooses several selections; then the system trains the user to remember the selections.
Researchers at Microsoft, Lucent Technologies, New York University and the University of Virginia, among others, have studied techniques for creating graphical passwords.
Such systems have problems as well. While the resulting password tends to be more random than one made of characters, the user training has to be done in secret or others might be able to view the sequence of images that make up the password. Moreover, the same attributes that make graphical passwords easier to remember for the user make them easier to pick up by, say, a not-so-friendly co-worker looking over someone's shoulder, said Chris Wysopal, director of research and development for digital security firm @Stake.
"Pictures are going to be easier to shoulder-surf than keyboard passwords," Wysopal said, adding that weaknesses in how such passwords are stored on the computer system could also make them vulnerable to cracking attempts.
While research has focused on creating new types of passwords, businesses are attempting to tackle the problem with software products that allow a single, strong password to be used to access all the services on a network. By letting users focus on just memorizing a single password, the onus for security is on the administrators who must force users to pick a strong password and change it frequently.
This system has its own drawback, of course. A hacker able to wheedle a single password from a user gains access to everything that person had permission to use. That has many nervous companies adopting so-called two-factor authentication, where the second factor is a chip card or biometric. For the extremely security conscious, three-factor authentication is available as well.
"If you want real high-level security," said University of Virginia's Evans, "people can authenticate themselves with something they know, like a password; something they have, like a smart card; and something they are, like a biometric."
With fingerprint scanners and smart-card readers still not a common option on computers, such technology isn't an immediate solution, said Chris Christiansen, an analyst with market researcher IDC.
"There is a huge, huge range of alternatives to passwords," he said. "But nobody thinks passwords are going to go away."
Until better alternatives are adopted, the users--and the passwords they choose--continue to be the greatest vulnerability.