Password Security

From the Security FAQ, as distributed with Alec Muffett's Crack utility:

Q16: How can I generate safe passwords?

You can't. The key word here is generate. Once an algorithm for creating passwords is specified using upon some systematic method, it merely becomes a matter of analysing your algorithm in order to find every password on your system.

Unless the algorithm is very subtle, it will probably suffer from a very low period (ie: it will soon start to repeat itself) so that either:

1. a cracker can try out every possible output of the password generator on every user of the system, or
2. the cracker can analyse the output of the password program, determine the algorithm being used, and apply the algorithm to other users to determine their passwords.

A beautiful example of this (where it was disastrously assumed that a random number generator could generate an infinite number of random passwords) is detailed in [Morris & Thompson].

The only way to get a reasonable amount of variety in your passwords (I'm afraid) is to make them up. Work out some flexible method of your own which is not based upon:

1. modifying any part of your name or name + initials
2. modifying a dictionary word
3. acronyms
4. any systematic, well-adhered-to algorithm whatsoever

For instance, never use passwords like:

alec7

it's based on the user's name (and it's too short anyway)

tteffum

based on the users name again

gillian

girlfiends name (in a dictionary)

naillig

ditto, backwards

PORSCHE911

it's in a dictionary

12345678

it's in a dictionary (& people can watch you type it easily)

qwertyui

...ditto...

abcxyz

...ditto...

0ooooooo

...ditto...

Computer

just because it's capitalised doesn't make it safe

wombat6

ditto for appending some random character

6wombat

ditto for prepending some random character

merde3

even for french words...

mr.spock

it's in a sci-fi dictionary

zeolite

it's in a geological dictionary

ze0lite

corrupted version of a word in a geological dictionary

ze0l1te

...ditto...

Z30L1T3

...ditto...

I hope that these examples emphasise that any password derived from ANY dictionary word (or personal information), modified in any way, constitutes a potentially guessable password.

For more detailed information in the same vein, you should read the APPENDIX files which accompany Alec Muffett's Crack utility.

Q17: Why are passwords so important?

Because they are the first line of defence against interactive attacks on your system. It can be stated simply: if a cracker cannot interact with your system(s), and he has no access to read or write the information contained in the password file, then he has almost no avenues of attack left open to break your system.

This is also why, if a cracker can at least read your password file (and if you are on a vanilla modern Unix, you should assume this) it is so important that he is not able to break any of the passwords contained therein. If he can, then it is also fair to assume that he can (a) log on to your system and can then (b) break into "root" via an operating system hole.

Q18: How many possible passwords are there?

Most people ask this at one time or another, worried that programs like Crack will eventually grow in power until they can do a completely exhaustive search of all possible passwords, to break into a specific users' account - usually root.

If (to simplify the maths) we make the assumptions that:

1. Valid passwords are created from a set of 62 chars [A-Za-z0-9]
2. Valid passwords are to be between 5 and 8 chars long

Then the size of the set of all valid passwords is: (in base 62)

	   100000 +
	  1000000 +
	 10000000 +
	100000000 =
	---------
	111100000	(base 62)

A figure which is far too large to usefully undertake an exhaustive search with current technologies. Don't forget, however, that passwords can be made up with even more characters then this; you can use , all the punctuation characters, and symbols (~<>|\#$%^&*) too. If you can use some of all the 95 non-control characters in passwords, this increases the search space for a cracker to cover even further.

However, it's still much more efficient for a cracker to get a copy of "Crack", break into any account on the system (you only need one), log onto the machine, and spoof his way up to root priviledges via operating system holes.

Take comfort from these figures. If you can slam the door in the face of a potential crackers with a robust password file, you have sealed most of the major avenues of attack immediately.