Truth 45 Crack-proofing your passwords

My three-year-old son likes to play a game with me that he calls What’s the Password? This game consists of him standing in a doorway with his arms stretched out to block access through it. He then asks me for the password, and if I get it correct, I am allowed to pass. I am, of course, expected to want to go through this same door dozens of times in a row, each time being forced to answer the challenge. To date, there is still only one correct response that he will accept to open the gate. That word is password.

At first I found this funny and played along. However, it has been going on for a couple of months now, and quite honestly, I am starting to get a little concerned. What if my son ends up to be one of those kinds of people? You know the types—the ones who use qwerty, asdfgh, and password as their password. What if, instead of following the password guidelines of alphanumeric, upper- and lowercase with a minimum of eight characters, my son is one of those people whose password is simply his name backward. Or what if he uses the password admin for the admin account or toor for the root password?

Over the past several years, I have run across these passwords, or others that are just as bad, at one customer site or another. Often, I have found them just by taking a stab in the dark, even without a password-cracking tool. And now it seems my son is on this same destructive path of becoming a password degenerate. Passwords have always been the strong and weak point of security. Strong passwords generally indicate stronger security, while weak passwords lead to system compromise. So why do passwords fail to protect so many users and organizations? To answer that, you have to look at a much bigger picture.

Poorly designed passwords

When a password is created without the help of an automated tool, most people choose things that are easy to remember. Sometimes it’s the first letter of several words. In other cases, people use dates, such as an anniversary or birth date. Though these can be used in a way to create a solid password, more times than not, these creations are done incorrectly. A person’s name with a date at the end, such as Jim1970, will be found by almost every password cracker in existence.

The password January1970 is equally bad. A simple, yet effective, way to find out just how easy it is to crack a password is to download a program called LOphtCrack. A quick Google search on the Internet can give you several links to the software. This program looks through your Windows password registry and cracks the passwords, generally in minutes. In addition, this program can monitor the network and pick up NT passwords off the wire.

To be fair, this program does take advantage of some issues with Microsoft’s security. But a strong password can hold its own for a long time against such a program.

Brute-force crackers

Brute-force crackers generally come in two designs. The first is based on word lists. These lists contain thousands of words that an automated program attempts to use against an account. UNIX systems and routers are generally most vulnerable to these types of attacks since most do not lock out an account after a set number of failed attempts. The cracker just keeps sending over word after word to use as the password until the program lets it in. These complete lists have many variations of the same word, such as root and root. By changing letters such as O with the number zero or I with the number one, often people think they are being crafty. Though these tricks may work in some cases to protect you, they are not recommended.

The second type of brute-force software is based on an algorithm. If a hacker has all the time in the world, this is generally guaranteed to work. The automated program simply tries every letter combination until it finds the correct match. For example, if the program has been set up to know that the minimum password length is three, it starts out with aaa. It then submits aab, then aac, and so on, and so on. Again, this is time-consuming, and these crackers can be complex and capable of using hundreds of computers at the same time to run the cracks.

If a hacker is performing this kind of attack against a static password on your server, he will eventually gain access. Of course, in that case, one would hope you have some sort of security in place to monitor the total number of failed attempts to log in. But that’s a whole other matter.

With this type of attack, bigger is generally better. Minimum password length becomes an important part of the equation. Obviously, eight characters instead of five characters requires hundreds of thousands of additional attempts and reduces the likelihood the password will be cracked.

Put old passwords out to pasture

Once people find the perfect password, the next problem is letting go. Simply put, you need to change passwords periodically. I have read policies in corporations that range from 30 days to 6 months. I like the 90- to 120-day range. Yes, I know it’s hard to remember new passwords, and I am the first to admit I have broken this rule on more than one occasion. However, if you are looking for a truly secure environment, this strategy should be mandatory. By the way, bouncing between two passwords over and over is not changing your password. It’s a sly loophole, but you are only putting yourself and your organization at risk.

One suggestion I have is to change portions of your current password. By using four of the original characters and changing the other four, you increase your chances of remembering the password while still changing it enough to be secure. Then, for the next change, remove something from the password that had still been part of the previous password. Over time, your entire password changes, while you are only required to remember four new characters each time.

Even though most any password can be cracked if the thief puts enough time into it, any attack that requires a large amount of resources puts a hacker at risk of being caught and can set off alarms on the network.