>  > Perils

The Perils of Passwords


Of all the network security concepts (confidentiality, authentication, integrity, authorization, non-repudiation, availability, and policy), authentication is arguably the most important. While some applications are exceptions, authentication is often the basis for effectively establishing other security services.

Authentication systems provide some mix of validating three types of authenticators: something you know (shared secrets - passwords, pins, etc.), something you have (passport, token, digital certificate, etc.), and something you are (biometric - fingerprint, retinal scan, face recognition, etc.).

Strong authentication systems combine two or more types of authenticators. Password systems are generally the least expensive of the three, and therefore often found within any combination.

The vast majority of network authentication mechanisms in use today are password-only systems, which are considered weak authentication. These industry labels can be misleading, however, as the relative strength of a system depends on details of the implementation.

In any case, password systems play an important role in our lives everyday, and will continue to do so for the foreseeable future. Unfortunately, passwords suffer from a cruel paradox.

To be convenient to use, passwords must be easy to remember. To be effective as an authenticator, they must be difficult to guess.

To be easy to remember, passwords should be short, simple, familiar, re-used in each different system one encounters, and never changing. To be difficult to guess, passwords should be long, complicated, unrelated, unique to each system encountered, and frequently changing. Most password systems require some minimum length at least, and often add other minimum requirements as well. A resulting consequence is that end users are no longer able to remember the password easily, which may force them to write it down. And the end result may be a less secure system.

Users need a little bit of training on how to develop and use password systems, which would go a long way toward maximizing the effectiveness of the system overall. With little effort, users can learn techniques to develop passwords that can be easily remembered, but also be very difficult to guess (crack). Further, a few guidelines on how to easily use multiple passwords extends significant benefit as well.

Combining some basic memory techniques, like mnemonics, with anticipation of the types of passwords one has to remember can help just about everyone develop a personal system of strong passwords. What follows are some guidelines and techniques to help develop such a system.

Types

Some passwords, namely PINs, are limited to four or six digits with only numeric values accepted. Most passwords allow for a length of at least eight characters, and accept a combination of numeric, alphanumeric, and special (~!@#$%^&*, etc.) characters.

PINs often protect some of our most precious assets, such as our bank accounts. PINs are also often used to protect web-access for services that have corresponding access through the telephone network via integrated voice response units, such as airline frequent flier accounts, 401K investment accounts, etc. And PINs are also often used to secure very simple and low risk assets. Develop at least two PINs, but not more than three, that can be used to access these accounts. If you limit all your PINs to a single PIN, you end up handing out the code that protects your bank account to individuals on the web running perhaps less-than-reputable sites. If you try to generate a unique PIN for each system that requires one, you run the risk of constantly forgetting which PIN goes with which system, or having to write the PINs down in one central spot. In the end, it is good policy to develop only two or three different PINs, and categorize them as high-value, low-value, and mid-value, if needed.

Similarly, users should develop a series of different passwords that can be used across various applications, depending on the value of the assets that the passwords protect. For example, almost everyone has to maintain many different passwords for all of the systems they access. These normally include such things as:

PC (BIOS)
Network Operating System (NT Domain, NetWare, LotusNotes, etc.)
Internet PPP Dialup
POP3 Email account(s)
Web commerce sites (Amazon, travel sites, etc.)

And may also include systems such as:

FTP accounts
Any website with personalized content
Digital Certificate private key protection
And many, many other systems

If one were to use the same password for all systems, security risks are introduced by the fact that each different system must store the password you have chosen, and a single breach of security in one system could compromise the security on all of your accounts. Therefore, it is sound security policy to develop at least three series of passwords, categorized as high-value, mid-value, and low-value passwords.

Since many of the high value systems will often imposed restrictions on the length of time a user may use the same password, and also on how often the user may re-use an old password, it is quite useful to develop a series of passwords for each category. Each password in the series is related to the others, to maximize the ability of the users to remember each of them without having to write them down. However, each password in the series should be sufficiently different from the others to minimize the ability to guess any of the other passwords in the series if one is compromised.

Password Development Techniques

PINS

Do not choose PINs from series of numbers that are commonly associated with your identity, such as your street address, birthday, zip code, or the last four digits of your social security number.

DO choose PINs in a manner that it is unlikely to be generated from any automated method using data commonly associated with your identity. Here are two methods you may find useful in meeting this objective.

Product Name or Number
Think of a product name that contains a number that might make a good basis for a PIN. For example, perhaps your household used Formula 409 cleaner. To develop a four digit PIN, think "F409". Then use the telephone touchpad mappings of alpha characters to numerics to convert the "F" into a number. On the telephone touchpad, the letter "F" is found on the number "3". So the four digit PIN for the mnemonic "Formula 409" becomes "3409". As another example, let's say your home computer printer is an HP Deskjet 420C. Use the same number conversion process to convert the "C" to a "2", and develop the PIN "4202".

Four-letter words
No, these are not necessarily naughty words, but simply an easy to remember combination of four letters that do not relate directly to information specific to your identity. In fact, the words do not necessarily have to be limited to four letters; perhaps you just take the first four letters of another word. These could be the first four letters of the last name of your favorite teacher from elementary school, or the employer of your father when you were growing up, or just about anything that is easy to remember, but not directly associated with you. For example, perhaps the TV station that broadcast your favorite Saturday morning cartoons as a kid was WXIA. Use the telephone touchpad conversion method to convert "WXIA" into "9942". Or perhaps your father was employed by Alcoa when you were growing up - convert "ALCO" to "2526".

Use these methods to develop at least two, perhaps three, different PINs. Use one PIN to secure your high-value assets, such as your bank PIN, or access to an online 401K account. Use the other PINs for all mid-value or low-value PIN needs. And finally, use PINs only where the system requires them - do NOT use PINs in place of passwords if the system supports passwords.

Passwords

Do not choose passwords based on common dictionary words, or any words or names directly associated with your identity (such as mother's maiden name, child's name, etc.). Do not choose short passwords (less than six characters) unless the system does not allow otherwise.

Do choose passwords that:

Use a mix of upper and lower case letters
Use a mix of numeric characters with alpha characters
Include special characters, when possible
Are as long as practical, preferably at least eight characters

Here are some methods for generating easy to remember, yet hard to guess, passwords.

"Acronymize" a Phrase
Choose a phrase that is easy to remember, such as a famous saying, a song lyric, or a line from a nursery rhyme. Take the first letter from each word in the phrase to develop an acronym. For a simple example, the phrase "Jack and Jill went up the hill" would convert to "jajwuth", and then for added strength, carry the capitalization and spell out the last word as well to develop "JaJwuthill". Then use some of the techniques below to strength it even further.

Special Character Substitution
Many special characters are already associated with particular words, and it is not difficult to associate other characters with other common words. See the following list for some examples:

@ - at                        & - and
# - number or amount   * - star or all
$ - dollar or cost          ( - left
% - cents or since        ) - right
^ - up or raised           ~ - about

Using this technique, many common phrases can be converted to passwords that include special characters. In the example above, the password would become J@Jw^thill.

Number Letter Substitution
Many letters in the alphabet share a resemblance to numbers in printed form. See the following examples:

1(one) and l (lower case L)
3 and E
5 and S
8 and B
0 (zero) and O (capital letter o)

In this technique, substitute the numeric character for any letters in your developed password that have a corresponding numeric. In the example from above, J@Jw^thi11 (ending in two lower case Ls) would convert to J@Jw^thi11 (ending in two ones).

At this point, this example is sufficiently strong for even the most valuable password systems. It meets the all of the desirable requirements, and would resist all but the most onerous brute-force password cracking methods.

A slight variation on this theme is Number Word Substitution. When a phrase contains a word that is a number, use the number instead of the first letter of the word. So the phrase "Cats have nine lives" would be "ch9l", instead of "chnl". Other variations include Word Number Substitution, where numbers may replace homophones or partial homophones. For example, "ate" may be replaced with "8", "for" with "4", or "tennis" with "10s", and Word Letter Substitution, where letters may replace homophone words, such as "r" for "are", "u" for "you", etc.

Simply to reinforce these concepts, follow the development of some other similarly strong passwords (and series of passwords) using the same techniques.

"Four score and seven years ago today"

A combination using most of the techniques described above yields "4s&7yat". To make it just a bit stronger, spell out today, and use the Number Letter technique to end up with "4s&7yat0day". And for another variation, spell out "score" instead of "today", and use the Number Letter Substitution technique, to end up with "4sc0re&7yat". In fact, each of these passwords may make up a related series, as described in the next section.

"I can't believe I ate the whole thing"

Again, using the techniques described above, this phrase can be quickly converted to "Ic8I8twt" (notice the "B" in believe is converted to an "8"). And yet another variation is to reverse the capitalization, to end up with "iC8i8TWT".

Due to the number of different systems that require passwords, users should develop at least two different base passwords, but not more than four. The strongest should be used for the most critical systems, such as your PC boot password, Network login, and bank account web access systems. Use a different base password for mid-value systems, such Internet dial-up accounts, POP3 email accounts, eCommerce websites, etc. And finally, use yet another base password for systems that require passwords, but protect low value assets, such as personal homepages, websites without commerce, etc.

Password Series
Many high-value password systems require that the users change their passwords after a given amount of time. Further, these systems typically maintain a password history that prevents re-using a password recently used. When prompted with this challenge, many users simply recycle through a number of "temporary" passwords until they are able to re-use their base password again. Such a strategy simply undermines the original security policy, and is not recommended. And finally, users may find that various high-value systems with these requirements have different timers, so it is likely that not all high-value systems will accept the same base password all the time.

Therefore, users should develop passwords in related series, such that the mnemonic used to remember the password is the same, but the technique to derive the password is sufficiently different as to prevent other passwords in the series to be guessed.

An example of this technique can be found in the last section. Using the phrase "Four score and seven years ago today", we developed three different passwords:

4s&7yat
4s&7yat0day
4sc0re&7yat

These passwords are all different enough that given one, it would not be trivial to develop the others. Yet, they are all generated from the same mnemonic, so they are easy to remember.

It is recommended that passwords be developed in series, but to have no more than three in any one series. Since many password systems have "lock-out" features after three failed attempts, a user may be able to try each password in a series when presented with a password prompt that they are unsure as to what the current password is.

Summary

Passwords are by far and away the most common authenticator used in network security. Even when combined with other authenticators, passwords are prevalent in all authentication systems, and will continue to play an important role in the future.

Many users choose passwords very poorly, where the passwords are easy to guess and simple to crack. Given techniques to do so, users can develop exceptionally strong passwords that dramatically improve the security of the systems they are accessing.

Following the recommendations provided, users would develop three series of passwords, with three variations of the password in each series, for a total of nine passwords, plus a couple of PINs. However, using the mnemonics and password generation techniques described above, users should be able to remember each based only on a few simple phrases.

Users spending just a few minutes developing these passwords will help strengthen the overall security of the systems immeasurably. Further, these techniques can provide a framework for a user's entire password needs for years to come, and even make it simpler to remember passwords that may not have been used for years.

Systems restrict access with passwords to secure the system by authenticating users. However, strength of the system depends on users behavior. Training users on password techniques provides the single most cost-effective security measure that is all too often overlooked. Simply enforcing "password rules", as administrators often do, may have the opposite effect.


For more information on training users for password systems,
contact Dalliesin.



Copyright 2001, 2002 Dalliesin, Inc. All rights reserved.
www.dalliesin.com