1      Introduction

1.1    Overview

Passwords are used in almost every interaction between users and information systems. Most forms of user authentication, as well as file and data protection, rely on user-supplied passwords. Since properly authenticated access is often not logged, or even if logged not likely to arouse suspicion, a compromised password is an opportunity to explore a system from the inside virtually undetected. As attacker would have complete access to any resources available to that user, and would be significantly closer to being able to access other accounts, nearby machines, and perhaps even administrative privileges. Despite this threat, accounts with bad or empty passwords remain extremely common and organizations with good password policy far too rare. The most common password vulnerabilities are that (a) user accounts have weak or non-existing passwords, (b) regardless of the strength of their passwords, users fail to protect it, and (c) the operating system or additional software creates administrative accounts with weak or non-existing passwords.

The best and most appropriate defense against these is a strong password policy, which included thorough instructions for good password habits and proactive checking of password integrity.

2      Password Policy

2.1    Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Company entire corporate network. As such, all employees, consultants, and contractors of Company are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2.2    Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

2.3    Scope

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or require a password) on any system that resides at any facility in network.

2.4    Responsibilities

Maintaining the secrecy of users’ passwords is a shared responsibility of the user, which uses the password to authenticate, the provider of the authentication service, which implements the authentication mechanism, and the owner of the input device on which the user enters his or her password. The responsibilities are as follows:

-The user is responsible for keeping his or her password secret. The user may not share his or her password with any other person.

-The provider of the authentication service is responsible for maintaining the secrecy of a user password within the confines of the deployed authentication mechanism, and the selection of appropriate protocols for safe-transfer of user passwords on a network. This provider is furthermore responsible for the integrity and availability of the authentication mechanisms, compliance with this policy and enforcing the password rules defined in this policy.

-The owner of the (shared) IT resource is responsible for setting appropriate authorizations on resources which have been given access rights on basis of the correct identification, assigned by the provider of the authentication server.

-The owner of the input device is responsible for maintaining the secrecy of a password entered on this device and for properly inter-working with the authentication mechanism deployed by the provider of the authentication service.

2.5    Policy

2.5.1       General

For reasons of personal accountability, every user of shared IT facilities shall be uniquely identifiable by means of personal user identification.

Personal user identifications are needed to ensure that activities of computer users can be traced back to the individuals concerned. The minimum means to uniquely identify a user and to verify whether an attempt to access protected resources is authorized is a password which is nontrivial and which is kept secret.

Users shall choose and handle their passwords with care.

Organizations that use computing or networking facilities are responsible for properly allocating authorizations to their users, and for revoking these authorizations on change of function or end of contract of a user.

2.5.2       Password Rules

Password maximum age

Objective: to counter password misuse

Setting: MUST be set to 60 days

Password minimum age

Objective: to counter password misuse

Setting: Allow change immediately

Password minimum length

Objective: to counter password guessing

Setting: MUST be set to 8 characters

Password history

Objective: to counter password guessing

Setting: MUST be set to 12 passwords that are remembered

Users allowed changing their passwords

Objective: to define password ownership

Setting: users must be allowed to change their password

Password syntax checking

Objective: to avoid users choosing weak passwords

Setting: syntax setting MUST be enforced. Passwords MUST meet the following complexity rules:

–          At least 5 characters of the password MUST be different

–          The password MUST comprise at a minimum 1 character that is not an alphabetic character, a digit or a hyphen (-). At least one of such a character MUST appear at a position that is NOT the first, the second or the last and one but the last position of the password.

–          The alphabet referred to in the rule above is the ISO standard 647 (US ASCII); for locales, which do not include this alphabet, no complexity rules are prescribed.

–          Enterprise Administrator passwords must be a strong one with at least 1 number, at least 1 uppercase character and at least 1 lowercase character.

Password expiration warning

Objective: to inform the users on the need to change their password before it actually expires

Setting: MUST be set to 14 days before password expiration

Password lockout

Objective: to counter (automated) password guessing

Setting: lockout MUST be enabled

Password lockout count

Objective: to allow users to re-enter their password in case of user errors

Setting: the users account MUST be locked after 3 failed authentication attempts

Password lockout duration

Objective: to allow users to authenticate again after being locked out due to a number of mistakes

Setting: MUST be set to 30 minutes

Password must change

Objective: to force the users to change their password after they authenticate for the first time with the authentication service

Setting: password change MUST be enabled

Password storage

Objective: to ensure that the password selected by the user does not loose entropy when stored at the authentication server

Setting: passwords MUST NOT be stored in clear text; any hashing technique used for storing passwords MUST be certified for a minimum number of collisions, algorithms that ignore case MUST NOT be deployed

Password Uniqueness

Objective: to avoid that users recycle their passwords to often

Setting: MUST not allow to re-use last 12 passwords

Password lockout count reset

Objective: to avoid account lockouts as denial-of service attacks

Setting: MUST be set to 30 minutes

Grace login limit

Objective: to allow users to authenticate with an expired password

Setting: first login with an expired password MUST be supported, at this login the user is required to choose a new password

Safely modify a password

Objective: to avoid unauthorized password modification

Setting: users MUST specify their current password before they can change it

Display last logon

Objective: to inform users on a possible abuse of their account

Measures: users SHOULD be informed on the last time they have used the authentication service, the last logon message MUST only be displayed after a successful logon.

2.5.3       Client configuration

Password secrecy

Objective: to avoid sniffing of users passwords

Measures: defenses for countering Trojan horse software on a client system MUST be in place. An up-to-date virus scanner is an appropriate measure

Stored passwords

Objective: to avoid password theft when a client computer is compromised

Measures: on the client system NO facilities MUST be configured allowing the user to store their passwords locally. Also caching of passwords (hashes) SHOULD NOT be supported.

2.6    Exemptions

A Business Organization, which needs a policy exemption on this document, must define the exemption in its local security policy.

2.7    Enforcement

Any person bound to this policy who intentionally and/or knowingly violates this policy shall be subject to ….

3      Password Cracking

3.1    Overview

Weak passwords are one of the most critical IT security threats. A weak password may give a hacker access not only to a single computer, but also to the entire network to which the computer is detected. Password cracking helps administrator to secure systems through comprehensive auditing of user account passwords.

3.2    Background

When attempting to crack passwords there are two often-used approaches: dictionary and brute-force attacks.

A dictionary attack involves taking a list of words, then feeding them through the password routine to see if they are the correct password. More specifically, in the case of UNIX passwords, for example, the dictionary word is fed through the password hashing mechanism and compared to the stored password. If they match, then we have cracked or compromised the password. Furthermore, when using a dictionary attack, the words are often hybridized to account for subtle password changes. For example, under a password policy where the password must change every 60 days, the password could start off as ‘puddles21’ and then next time it’s changed become ‘puddles22’. This is a common practice among users as it makes it easier for the individual to remember a new password. But ‘puddles21’ does not exist in any dictionary. Yet a simple hybrid of the dictionary word ‘puddles’ could put numbers ranging from 1-100 at the end of the word, and we would then crack the password.

The brute-force method of cracking passwords is a sure way to find any password, providing that the character set used is large enough. This method can take a lengthy amount of time to complete. In a sense, the brute-force method is essentially using the largest dictionary that can be created from any given character set.

Unfortunately, all this talk about dictionary password cracking, brute force password cracking, password lengths, and encryption formats misses the important problem with most password systems; people pick really bad passwords. Regardless of the trillions of possible passwords that people could be using, at most sites anywhere from 30 to 70 percent of the passwords can be guessed using only thousands of possibilities (common words in general). Few people will voluntarily use special characters or passwords of any significant length. Most of them, left t their own devices will use something they find highly memorable (supposing that they don’t just use “password”, of course), probably their own name or then name of somebody they love.

3.2.1       Weak Passwords

Weak passwords defined:

“Weak passwords are passwords that are easy to guess, simple to derive, or likely to be found in a dictionary.

Example of weak passwords:

-Password equal to username

-Anybody’s name

-Anybody’s birth date

-Hostname of computer

-Names of sport teams

-Dictionary items

-Simple patterns on the keyboard, like qwerty, 1234

In addition to the specific items listed above, variations on these items are also vulnerable to attack using hybrid crackers, e.g.:

-The word in all capital letters

-The first letter capitalized

-Alternating characters capitalized

-The word doubled

-The word spelled backwards.

-The word preceded or followed by numbers from 00 to 99

3.3    Scope

All local systems must be checked for weak passwords.

3.4    The Tools

Password Cracking Tools

John the ripper

http://www.openwall.com/

A UNIX (and other) password cracker (Freeware)  –Freeware

LC4

 http://www.atstake.com/index.html

The password auditing and recovery application for Windows platforms –Commercial product

3.5    Cracking Procedure

Regular audits (password cracking sessions) must be performed using John the Ripper for UNIX systems and LC4 for Microsoft platforms.

3.5.1       The procedure

IT staff audits all operating system passwords in order to protect its systems. The results of the audit are communicated in confidence to each individual user whose passwords fails the audit. The only goal of the audit is to get weak passwords changed.

When the audit is complete (or interrupted after running for several hours) each user (or sometimes the user’s supervisor) whose password was cracked is notified via e-mail that his/her password failed the audit, and he/she is asked to change his/her password.

If after two such notices the user’s password has not been changed, then the auditor (IT staff) changes it for the user and the user has to contact IT before he/she can access his/her account again.

3.5.2       Repeated violations of password policy

The name(s) of the user with repeating violations of this policy will be submitted to the site IT management for further corrective actions.

3.5.3       Frequency

Frequency of audits: every 2 months

3.5.4       Reporting / logging

A record of “number of weak passwords per system” should be kept. This record should include details of the follow-up process undertaken.

3.5.5       Measured improvements

The audit results and undertaken follow-up actions (under 4.5.4) must be analyzed and quantified on a regular basis in order to make measured security improvements in the site’s operations management.

3.5.6       Detailed Instructions

Refer to appendix A and appendix B for detailed instruction how to use John the ripper and/or LC4.

3.6    Super User Log Review Procedure

In general, “super user” means the administrator account for a server, for instance, “ root” under UNIX and LINUX machines and “administrator” under Window. This “super user” access right is only limited to IT Dept usage. Users cannot use “root” account to remote connect to a machine, i.e. uses should use su command to trigger the “root” access right. Hence, IT Dept can monitor super users activities by review the sulog. As a procedure, the sulog of each machine has to be reviewed by IT-Dept quarterly.

4      Other recommendations

-Use a password-locked screensaver to make certain that no one can perform any activity under your user-ID while you away from your desk.

-Do not gain root access through  “clear-text” protocol programs such as Telnet, RCP, and FTP with root. Use SSH, SCP, and SFTP in stead.

-Restrict physical access to servers.

5      Glossary

 

Abbreviation Description
Access Control Access Control ensures that resources are only granted to those users who are entitled to them.
Access Control List (ACL) A mechanism that implements access control for a system resource by listing the identities of the system entities that are permitted to access the resource.
Asymmetric Cryptography Public-key cryptography; A modern branch of cryptography in which the algorithms employ a pair of keys (a public key and a private key) and use a different component of the pair for different steps of the algorithm,
Auditing Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.
Authentication Authentication is the process of confirming the correctness of the claimed identity.
Authorization Authorization is the approval, permission, or empowerment for someone or something to do something.
Backdoor A backdoor is a tool installed after a compromise to give an attacker easier access to the compromised system around any security mechanisms that are in place.
Brute Force A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one.
Cache Pronounced cash, a special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching.
Confidentiality Confidentiality is the need to ensure that information is disclosed only to those who are authorized to view it.
Cryptography Cryptography garbles a message in such a way that anyone who intercepts the message cannot understand it.
Data Encryption Standard (DES) A widely used method of data encryption using a private (secret) key. There are 72 quadrillion or more possible encryption keys that can be used. For each given message, the key is chosen at random from among this enormous number of keys. Like other private key cryptographic methods, both the sender and receiver must know and use the same private key.
Decryption Decryption is the process of transforming an encrypted message into its original plaintext.
Denial of Service The prevention of authorized access to a system resource or the delaying of system operations and functions.
Dictionary Attack An attack that tries ass of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations.
Eavesdropping Eavesdropping is simply listening to a private conversation, which may reveal information, which can provide access to a facility or network.
Encryption Cryptographic transformation of data (called “plaintext”) into a form (called “cipher text”) that conceals the data’s original meaning to prevent it from being known or used.
Flooding An attack that attempts to cause a failure in (especially, in the security of) a computer system or other data processing entity by providing more input that the entity can process properly.
Hardening Hardening is the process of identifying and fixing vulnerabilities on a system.
Hash function An algorithm that computes a value based on a data object thereby mapping the data object to a smaller data object.
Hybrid attack A hybrid attack builds on dictionary attack method by adding numerals and symbols to dictionary words.
Integrity Integrity is the need to ensure that information has not been changed accidentally or deliberately, and that it is accurate and complete.
Intrusion Detection A security management system for computers and networks. An IDS gathers and analyses information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization).
IP Spoofing The technique of supplying a false IP address.
Malicious Code Software (e.g., Trojan horse) that appears to perform a useful or desirable function, but actually gains unauthorized access to system resources or tricks a user into executing other malicious logic.
Masquerade Attack A type of attack in which one system entity illegitimately poses as (assumes the identity of) another entity.
Non-Repudiation Non-repudiation is the ability for a system to prove that a specific user and only that specific user sent a message and that it hasn’t been modified.
Null Session Known as Anonymous Logon, it is a way of letting an anonymous user retrieve information such as user names and shares over the network or connect without authentication. It is used by applications such as explorer.exe to enumerate shares on remote servers.
One-Way Encryption Irreversible transformation of plaintext to cipher text, such that the plaintext cannot be recovered from the cipher text by other than exhaustive procedures even if the cryptographic key is known.
One-Way Function A (mathematical) function, f, which is easy to compute the output based on a given input. However given only the output value it is impossible (except for a brute force attack) to figure out what the input value is.
Password Cracking Password cracking is the process of attempting to guess passwords, given the password file information.
Password Sniffing Passive wiretapping, usually on a local area network, to gain knowledge of passwords.
Penetration Gaining unauthorized logical access to sensitive data by circumventing a system’s protection.
Plaintext Ordinary readable text before being encrypted into cipher text or after being decrypted.
Port Scan A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a “well-known” port number, the computer provides.
Pretty Good Privacy (PGP) Trademark of Network Associates, Inc., referring to a computer program that uses cryptography to provide data security for electronic mail and other applications.
Promiscuous Mode When a machine reads all packets off the network, regardless of whom they are addressed to. This is used by network administrators to diagnose network problems, but also by unsavoury characters who are trying to eavesdrop on network traffic (which might contain passwords or other information).
Public Key The publicly disclosed component of a pair of cryptographic keys used for asymmetric cryptography.
Public Key Infrastructure (PKI) A PKI enables users of a basically unsecured public network such as the Internet to securely and privately exchange data and money through the use of a public and private cryptographic key pair that is obtained and shared through a trusted authority. The PKI provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.
Role Based Access Control Role based access control assigns users to roles based on their organizational functions and determines authorization based on those roles.
Root Root is the name of the administrator account in UNIX systems.
Security policy A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
Session A session is a virtual connection between two hosts by which network traffic is passed.
Session Key In the context of symmetric encryption, a key that is temporary or is used for a relatively short period of time. Usually, a session key is used for a defined period of communication between two computers, such as for the duration of a single connection or transaction set, or the key is used in an application that protects relatively large amounts of data and, therefore, needs to be re-keyed frequently.
Sniffer A sniffer is a tool that monitors network traffic as it received in a network interface.
Symmetric Cryptography A branch of cryptography involving algorithms that use the same key for two different steps of the algorithm (such as encryption and decryption, or signature creation and signature verification). Symmetric cryptography is sometimes called “secret-key cryptography” (versus public-key cryptography) because the entities that share the key.
Symmetric key A cryptographic key that is used in a symmetric cryptographic algorithm.
Trojan Horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.
Vulnerability A flaw of weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy.
Wiretapping Monitoring and recording data that is flowing between two points in a communication system.

6      Bibliography

Elizabeth D. Zwicky, Simon Cooper & D.Brent Chapman    Building Internet Firewalls, 2nd edition June 2000