July 21, 2004

SysAdmin to SysAdmin: Educate users about strong passwords

Author: Brian Jones

General concepts in security escape most end users, pointy-haired bosses,
and other decision-makers, and even some junior administrators. While the more
senior technologists may not ever hope to get them to relate to the finer
points of DMZs and VLANs, we should at least continue to push and educate in
the area of passwords.

Cracking passwords is incredibly easy. I learned how to crack passwords only
days after I figured out how to get Linux to recognize my dialup modem. My
14-year-old brother taught me. A user with a
recent Pentium-class desktop can launch a brute force
password attack that can try upwards of 10 million word variations per
second. Keep in mind that an attacker needs only one match, one IP address, and
one rootkit or other privelege escalation routine to make your life a living

However, good passwords aren't a panacaea, either. We enforce good passwords
where I work, and I've had more than one person who, after changing his
password, immediately asked if I had a pen and paper. That's right folks,
somewhere in the building you work in, there's a sticky note stuck to a monitor
with a password written on it for all to see. What's more, even though you're a
good admin and shut off all unencrypted means of authentication, it doesn't
matter, because not everyone else has, and people use the same passwords all
over the place.

So what's an admin to do?

Keep educating the users, and keep enforcing good passwords. Rinse and repeat. Until we have an authentication solution that requires more than just a password
and doesn't cause one service or another to puke on its shoes, it's
really all we've got.

What's a strong password?

A "good" password is clearly one that can't be guessed or easily cracked
through computer-aided means. The first thing you need to do is create a new
definition of the word "dictionary" in the mind of your users.
A traditional dictionary probably doesn't contain the word "muffy," but a
cracker's dictionary does, because it's a popular pet name. A traditional
dictionary doesn't contain misspellings of words, like "p4ssw0rd." A cracker's
dictionary would guess that one in less than a second. Users should understand

A good password, in more technical terms, takes advantage of all your keyboard
has to offer, and is "cracker-conscious." Ideally, a good, standard Unix
password is eight characters long, and contains at least one uppercase letter, one
lowercase letter, one numeric character, and one symbol (like @,!,%, or even
","). In addition to these requirements, a good password will not be based on a
word in your (hopefully ever-growing) crack dictionary. Another thing to keep
in mind is that you do not want a password that follows these rules, but
forgets that dictionaries also contain popular QWERTY patterns. For example,
!@#$QWER is not a great password, partly because it is a predictable pattern,
and exists in some cracker dictionaries.

There are a couple of suggestions you can make to help your users. One is
to take a phrase, select the first (or even the last) letter of each word in the phrase, and base the password on that. For example, suppose we use "Welcome to New Jersey, now please go home." Taking the first letter, we get "wtnjnpgh." But now we substitute symbols for some of the letters -- an "@" for an "a," a "|" for an "l," etc. Our example ends up looking something like "w+NJnp9^" (I used a "^" to represent a roof, or "home").

Another idea is to think of two three-letter words that are completely
unrelated, like "tin" and "log." Do some number/letter/symbol substitution,
stick a special character or two in the middle of them, and you have a pretty
decent password -- maybe "t!N73d*g." The "73" in the middle is my birth year. These things don't have to be extraordinarily difficult to remember, once you offer some
good rules to employ.

The two final quick things I tell users are to never use the same
username/password combination at any two sites, and never ever write down your

Why bother?

Users ask why they should bother with all these password rules. (I know what you're thinking: "Users. Can't live with
'em, can't kill 'em.") It's amazing how users have absolutely no idea of the value
of their own data, or the damage that an attacker can do. Most users don't
realize that things that happen on their local desktop can have far-reaching
effects, not only on other faceless users, but in their own lives as well.
Recently, I saw a statistic that said something like "identity theft is
the fastest growing crime." In my state, identity theft is
supposedly the number one non-violent crime.

What users don't really get is that, while a password is not your identity,
it is essentially the key to your identity. With a password, a cracker can
check out your browser history to see where you spend your time on the
Internet. He may be able to see where you do your banking, get your Internet email, make your online
stock trades, do your shopping online, etc. In addition, he can see what other
sites your identity exists at. If you log into other sites, even using SSH,
he can browse your known_hosts file, and try your username and password on
every machine in that file. If you've broken the rule
mentioned earlier about using the same username/password at different
sites, you could be in trouble. Use the same combination at work and at
Amazon.com and you've just handed over your credit card information, possibly
an alternate email account, your physical address, the address of your office,
and your shopping history. Send any gifts? Great! The cracker also has some
leads on new victims.

And I haven't even mentioned your data yet! I once was completely floored to hear a
friend chuckle at my apparent paranoia with regard to passwords. "What are they
gonna do with it?" he asked. This question makes the assumption that crackers are
reasonable. I asked him, "Don't you have your book manuscript on your laptop?"
He said yes, "but so what? What are they gonna do with that?" Well, when I
suggested they might completely erase it, he thought it was ridiculous. "Why?"
A lengthy discussion ensued, during which he asked how they'd ever find his
computer among the thousands on the Internet. This prompted me to do something
I highly suggest to others in my shoes: open a console and run tcpdump. Let
the packets fly by. Then explain that these are packets, and that many of them
are from complete strangers, essentially knocking on your door.

OK, I digress. The point is, users should know that their data is at risk if they are cracked.

There are so many areas of technology where users are oblivious, it's hard
to know where to start. We could have started with email
security, browser security, or even some aspects of social engineering. Personally, I think password security gives us as administrators the most bang for the buck. If passwords are tougher to crack, and aren't used in multiple
places, everyone's life gets easier.

Click Here!