WeekEnd Feature: Passwords: how do you choose yours?

by Ian Thompson, CCSP Staff Editor
January 31, 2004

Passwords, passwords, passwords. So many to remember. Many of us have a PIN for our bank card, another for our credit card, access codes for our cell phone SIMs, home alarms, telephone subscription accounts and so on. Actual passwords – well, you get issued those at MI6 and certain secret mountain locations in Virginia, most places you sign up for membership on the Internet, plus those handy ones to access email accounts and your ISP in the first place. Luckily, your PC remembers those.

Whoa, there! Steady on…!
Did I really say ‘luckily’ there? Quick re-read. Yup – must have been a lapse or something. After all, there are enough password stealers out there in Trojanland just waiting to log keystrokes, or intercept the data packets flying about. Anyway, suppose the PC was stolen?

Given the choice, most people pick easy codes or passwords to save having to strain the old grey cells too much. And this is the downfall for most of us. Even more frightening, many people choose to set as many of their passwords or key codes to the same thing – even easier to remember!

That’s like having one key for every lock in your house.


Easy does it.
Now, look at it from the other point of view. If a) the password is easy to remember and b) it’s also used universally, then it’s pretty weak security. If this is you, then you’ve made it a lot easier for someone to break your ‘secure’ ID. Banks, ISPs and the like only know you by a series of codes – okay, so ISPs could also use caller line identification (CLI) to verify you’re calling from your own phone (whether fixed or mobile), and banks rely on physical things like cards as well, but these are just another way of carrying numbers with you. Your bank doesn’t recognise your voice and that web cam isn’t used by your ISP in a sort of ‘Whiz Kids’ kind of way, (don’t tell me you’re not up on all that 80’s ‘computers can do anything’ TV show hype…). Actually, some of the techniques used in ‘Whiz Kids’ (CBS; 1983-84) weren’t so far from the mark, like password phreaking and war-dialling, but to say the lead character could build a system that did all those things from cast-off bits that dad brought home is a bit too TV for me.

Now, maybe ‘The Prisoner’ had it hopelessly wrong – we are all now numbers and, apart from those known to us, like family, colleagues and associates, we are not real people in the tangible sense. And, as numbers, things are a little too easy to be faked.


Social Engineering
This lovely phrase is often used when someone means just plain old ‘mugged over’. Spammers etc. make something devious sound familiar enough so that the recipient actually opens it – i.e. using our own social tendencies (like having friends, or family, or just talking to the postman or corner shop owner) to engineer an action. When emails started to carry HTML and other code, they could be made to carry out actions just by being viewed – which is why the Preview Pane in Outlook and OE should never be left on.

The initial surge of systems running stuff like this soon tailed off and those wishing us to run their tricky Trojans and vile viruses packaged in emails had to get us to open them in some other way. So they send messages out with subjects like “Hi…”, “Missing you…” and “You are a winner!” using names that sound vaguely plausible (although I have to say that the recent one arriving here from ‘Idaho K. Utility’ missed the mark somewhat). However, once run, the end result was the same – compromised system.

Tips:
Turn off the Preview Pane (‘View’ – ‘Layout’ on OE).

Never use the ‘Delete’ icon (the fancy ‘X’) in the header bar of emails – this simply moves to the next one on the list and opens it – delete unwanted messages directly from the Inbox view.
Set your email to use plain text rather than HTML.


Free stuff!
Another way for password stealers to get around is through the craze popularly known as ‘getting stuff for free’, or more commonly called theft. Still, if there’s no victim, what’s the crime? And Sony makes so much money, what do they care if we copy a few songs??

The problem is, malware writers know that kids (and I’m not talking in chronological terms here – who do you think buys most of the Playstations?) have a pathological aversion to being separated from their cash. Therefore, they provide cheats, songs, whole games and even DVD images for these discerning user/choosers. Only problem is, apart from straight MP3 files, most of these are packaged with a few ‘extras’ (and I may be proved wrong about the MP3s). Anyway, the weaknesses in using peer-to-peer (P2P) file-swapping tools like KaZaA, Grockster and eDonkey are widely documented so that simply having these running is a risk in itself.

Anyway, the point is, password stealers are easy to, erm, ‘collect’.


Other methods
Often, a hacker doesn’t even need to use password stealers – people make it much more easy than that. Take the story of a UK hacker arrested a couple of years back for his illegal meanderings through some such web site or other – a US military system, IIRC. Left alone in the processing room of the police station, he noticed that the nearby PC had the username and password on a Post-It stuck to the monitor. A few minutes later, he’d bailed himself (well, that’s what the computer told the desk sergeant…). This isn’t an urban myth – I actually recall reading about it. It even made TV in a show about hacking.

You see, too many people set ‘Hello’, ‘Password’, ‘Computer’, ‘Windows’ or even just a blank line that there are a couple of hundred likely words the hacker will try first. If the target is ‘lucrative’ enough, then slightly more devious routes often yield results, like the date of birth of the user, or user’s partner, or their mother’s maiden or middle names. Public records are great for this kind of stuff.

What about other words? Well, if it exists in a dictionary, a modern PC can run through the 100,000 or so words in a matter of minutes. Here’s another story. I was helping set up projects at various schools across the city back in 1995, one of which was at the school where I trained as a teacher. The ICT co-ordinator, let’s call him ‘Elvis’, was one of those guys who used one password for most stuff. We (the university staff and I) created his own account, gave him a 28.8Kbps USR modem and set a PC to dial straight into the Unix boxes deep in the bowels of the Computer-based Learning department. Sure enough, he used the same password.

Now, even back then, the Unix guru who lurked unseen in the shadows ran a password cracker within the system, checking user accounts for weak passwords and so on. Within a week, Elvis got an email to say his password was cracked. You see, even though ‘Alicante’ is a town in Spain, (and this is the local spelling at that – most English dictionaries would give it two ‘L’s), it is still a real word. I’ve not had that email yet…


Help is at hand
These days, strong password checking is an option on most servers that control domains. In addition, any good SysAdmin will prevent zero-length passwords, set a minimum word length, have passwords expire on a regular basis, prevent repetitive use, and create lockouts after several failed attempts.

One tip is to use more than 10 characters in a combination of upper and lower case, plus some of the extended symbol set. Try to include some of the Shift key symbols around the Return key. Often, simple password crackers omit these since some may be ‘protected’ by the OS, and most passwords are case-sensitive, so ‘hELLo’ is seen differently from ‘HellO’ and so on. Deliberate misspellings (‘heoll’) or substituting numbers for letters (‘he11o’) will also fox simple dictionary scanners.
There are, of course, password ‘vaults’ – programs that use encryption to protect a list of sensitive items. Examples include any number of utilities with the words ‘password vault’ in their titles – 162K hits for that listed on Google alone. Problem is, these often use a password to gain entry – back to square one, only this time it’s like having a key to unlock the box holding the rest of the house keys…
Of course, you could just try to learn them all… ;D




by Ian Thompson ComputerCops Staff Editor



Ian Thompson is a Network Manager of a 500-PC, 9-server, 1700-user school network and is an ICT teacher at a UK high school near the city of Leeds. He has written articles for the Hutchinson Encyclopedia, plus many resources in support of teaching ICT in the UK schools' National Curriculum.


Copyright © Ian Thompson 2004