Better Secure Than Sorry! Neglected, Assumed and Hence Vulnerable Menace: Password Attacks
On July 16, 1998, CERT reported an incident where an attacker had found 186,126 encrypted passwords. By the time they were discovered, they had already cracked 47,642 passwords.
In December 2009, a major password breach of the Rockyou.com website occurred that led to the release of 32 million passwords. The cracker then leaked the full list of 32 million passwords (with no other identifiable information) to the Internet. Passwords were stored in clear text in the database and were extracted through an SQL Injection vulnerability.
In June 2011, NATO (North Atlantic Treaty Organization) experienced a security breach that led to the public release of first and last names, usernames, and passwords for more than 11,000 registered users of their e-bookshop. The data were leaked as part of Operation AntiSec, a movement that includes Anonymous, LulzSec, as well as other hacking groups and individuals.
On July 11, 2011, Booz Allen Hamilton, a large American consulting firm that does a substantial amount of work for the Pentagon, had their servers hacked by Anonymous and leaked the same day. “The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel – including personnel from USCENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors.” These leaked passwords wound up being hashed in Sha1, and were later decrypted and analyzed by the ADC team at Imperva, revealing that even military personnel look for shortcuts and ways around the password requirements.
On July 18, 2011, Microsoft Hotmail banned the password “123456.” Surprisingly passwords such as “123456,” “password,” and “12345678” made it to the top three in the Worst Password List of 2013’ released by SplashData.
Confidentiality, integrity, and availability (CIA) triad is critical to guide policies for information security within an organization. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of ready access to the information by authorized people.
An attacker may exploit an unintended function on a web server and use the cgi-bin program “phf” to list the password file. Now, this would breach the confidentiality of this sensitive information (the password file). Then, in the privacy of his own computer system, the attacker can use brute force or dictionary-driven password attacks to decrypt the passwords. Then, with a stolen password, the attacker can execute an integrity attack when he gains entry to the system. And he can even use an availability attack as part of the overall effort to neutralize alarms and defensive systems, so they can’t report his existence. When this is completed, the attacker can fully access the target system, and all three dimensions (confidentiality, integrity, and availability) would be in jeopardy. Always think C-I-A.
One of the two most publicized threats to security is the intruder (the other is viruses), generally referred to as hackers or crackers. Anderson [ANDE80] identified three classes of intruders:
- Masquerader: An individual who is not authorized to use the computer and who penetrates a system’s access controls to exploit a legitimate user’s account.
- Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized or who is authorized for such access but misuses his or her privileges.
- Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection.
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the clandestine user can be either an outsider or an insider.
Intruder attacks range from benign to serious. At the benign end of the scale, there are many people who simply wish to explore a network to see the content. At the serious end, there are individuals who are attempting to read privileged data, perform unauthorized modifications to it, or disrupt the system.An analysis of password attacks revealed that there were two levels of hackers. The high level was a sophisticated user with a thorough knowledge of the technology; the low level was the ‘foot solders’ that merely used the supplied cracking programs with little understanding of how they worked. This teamwork combined the two most serious weapons in the intruder armory: sophisticated knowledge of how to intrude and willingness to spend countless hours ‘turning doorknobs’ to probe for weaknesses.
The front line of defense against intruders is the password system. Virtually all the multiuser systems require that a user provide not only a name or identifier (ID) but also a password. The password serves to authenticate the ID of the individual logging on to the system. In turn, the ID provides security in the following way:
- The ID determines whether the user is authorized to gain access to the system. In some system only those who already have an ID filed on the system are allowed to gain access.
- The ID determines the privileges accorded to the user. Few users may have ‘super-user’ status that enables them to read files and perform functions that are specially protected by the operating system. Some systems have guest or anonymous accounts, and the users of these accounts have more limited privileges than others.
- The ID is used in what is referred to as discretionary access control. For example, by listing the IDs of other users, a user may grant permission to them to read files owned by that user.
The ability to crack passwords using computer programs is also a function of the number of possible passwords per second, which can be checked. If a hash of the target password is available to the attacker, this number can be quite large. If not, the rate depends on whether the authentication software limits how often a password can be tried, either by time delays, CAPTCHAs, or forced lockouts after some number of failed attempts. Another situation where quick guessing is possible is when the password is used to form a cryptographic key. In such cases, an attacker can quickly check to see if a guessed password successfully decodes encrypted data.
Attempting to crack passwords by trying as many possibilities as time and money permit is a brute force attack. A related method, rather more efficient in most cases, is a dictionary attack. In a dictionary attack, all words in one or more dictionaries are tested. Lists of common passwords are also typically tested.
With regard to passwords, it’s simple: don’t use passwords that may be found in a dictionary. For enterprise and more security conscious web sites implement password policies that mandate the use of numbers, letters and, sometimes, special characters. But is this enough?
With the recent publication of hundreds of thousands of usernames and associated passwords, it appears that common sense is in fact, not very common.
The recent Yahoo! E-mail hack revealed that ‘123456’ was used as the password for 1,666 users. Believe it or not, 780 users used ‘password’. Please!
Once hackers are able to infiltrate a site, they make their way to the list of usernames and passwords. A file that is typically encrypted or ‘hashed’ using MD5 (Message-Digest Algorithm) is a widely used cryptographic hash function.
Hackers will then try to generate hashes through brute force and compare the data from the stolen file to the newly created hash file. This is how, after a breach, they are able to post all of the passwords online.
A quick distinction: a Dictionary Attack is where a hacker will use a dictionary file to iterate through every possible word to produce a hash file which can then be used to compare to the target hash.
Dictionary files can be downloaded from a number of places such as the Pirate Bay, so it’s something that script kiddies can use. A dictionary attack works well on single word passwords, but fail on more complex passwords such as those required in most mature organizations.
Brute Force Attacks are different in that they will cycle through every possible combination of characters (e.g., aaaaaaa, aaaaaab, aaaaaac, aaaaaad, etc.), rather than employing a dictionary list. While very effective, given enough time, brute force attacks will typically waste a lot of cycles trying to crack a hash from nonsense letter combinations like:
If we calculate that we can move through 50 hashes per second, then a 7 letter password (the most common password length) has 56,222,671,232 possible word combinations (see Table 1), which would take almost 2,000 years to crack using brute force.
Passwords that resemble line noise are only generated by the most paranoid users. Most people will generate words or phrases that they can easily remember. This means that they will follow some basic word construction rules in the creation of their password/passphrase.
Rainbow tables (that uses pre-computed password hash chains) are used by security testers or hackers as a faster technique to crack a password. A password with a large salt value can defend against rainbow tables though.
Password Selection Strategies
To eliminate guessable passwords while allowing the user to select a password that is memorable, four basic techniques are used:
- User education: Users can be told the importance of using hard-to-guess password and can be provided with guidelines for selecting strong passwords.
- Computer generated passwords: Though these passwords are random in nature, users may not be able to remember them.
- Reactive password checking: The system periodically runs its own password cracker to find the guessable passwords.
- Proactive password checking: A user is allowed to select his or her own password, however at the time of selection the system checks to see if the password is allowable and, if not, rejects it.
Brute Force Attack
When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a brute-force search takes.In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys or passwords until the correct one is found.Brute-force attacks can be made less effective by obfuscating the data to be encoded, something that makes it more difficult for an attacker to recognize when he/she has cracked the code. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.
It is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary (from a pre-arranged list of values).
In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit. However these are easy to defeat. Adding a single random character in the middle can make dictionary attacks untenable. Unlike brute-force attacks, dictionary attacks are not guaranteed to succeed.
Auditors and other security practitioners continue to recommend password aging, the idea that a password must be renewed within a set period or it expires, as a best practice to protect accounts against unauthorized access and to ensure separation of duties. At best, this is a waste of time and a distraction that reduces user support for well-founded security initiatives. At worst, it actually increases the potential for misuse of accounts.
Password aging is counterproductive in that it inevitably encourages more people to write down more passwords. Arguments for the security value of password aging hinge on several assumptions about the vulnerability of passwords, each of which is flawed in a significant way.
Assumption No. 1: Password Aging Is a Protection Against Brute-Force Attacks Against Specific Passwords
It is relatively easy to gain access to a computer without the need for brute-force attacks. For example, if an attacker has physical access to a Unix system or Windows PC for longer than a few minutes, that attacker can easily bypass the password security and gain access to the administrator account without mounting any kind of attack on account passwords.
Furthermore, in organizations today, keyboard-logging software is more common than password-cracking software. If the attacker does not have unrestricted access to the device for longer periods, login failure lockout and a moderately complex password should defeat manual guessing attempts.
Assumption No. 2: Password Aging Is a Protection Against Password Sharing
Users who are willing to share passwords will continue to do so, whether or not password changes are required. Password aging may reduce the size of the group knowing the password but will not eliminate it.
Assumption No. 3: Password Aging Limits the Effect of Stolen Passwords
Even with password aging set to 30 days, the attacker will have, on average, 15 days with a stolen password. This is more than enough time to cause significant and lasting damage, including the creation of other entry points (back doors) into the system. If passwords are stolen through automated keystroke logging software, which is increasingly the case, then the new password will be stolen the first time it’s used. Other ways of password theft, such as social engineering and shoulder surfing, are also repeatable.
The best method of preventing a password from being cracked is to ensure that attackers cannot get access even to the hashed password. For example, on the Unix operating system, hashed passwords were originally stored in a publicly accessible file /etc/passwd. On modern Unix (and similar) systems, on the other hand, they are stored in the file /etc/shadow, which is accessible only to programs running with enhanced privileges (i.e., “system” privileges). This makes it harder for a malicious user to obtain the hashed passwords in the first instance. Unfortunately, many common Network Protocols transmit passwords in cleartext or use weak challenge/response schemes.
Password guessing: Most host administrators have improved their password controls, but the group account still abound, and password-directory and password-cracking programs can easily crack at least 10 percent of the passwords users choose. The deterrent is enforcement of good passwords.
Password sniffing: CERT estimated long back in 1994, thousands of systems will be the victims of password sniffers. On LANs any internal machine on the network can see the traffic for every machine on that network. Sniffer programs exploit this characteristic, monitoring all IP traffic and capturing the first 128 bytes or so of every encrypted FTP or Telnet session. The deterrent is to utilize programs that provide one- time (non-reusable) passwords.
Here we are expecting one apostrophe followed by an‘s’, and positioned at the last or second to last character. For the algorithm we are not concerned with the apostrophe to show a contraction, only possession and plural possession.
Hyphens and Underscores
The rule here is that these are uses independently for the separation of two unique constructions; then each word is tested separately.
Ending punctuation (! ? . , ) is expected to be at the end of the password, and we would not expect to see more than one punctuation character. Any other ending punctuation is not accepted.
Accepted suffixes include -able, -ac, -acity, -age, etc. Here is a comprehensive Suffix Worksheet. The rule here is that the last letter before the suffix cannot be the same as the first letter of the suffix. The rule does not allow for repeating vowels.
The word needs to contain at least one vowel.
Employing Character Position Analysis, analyzing a character’s position in relation to its neighbors, allows a hacker to know if the characters fit next to each other. There are three tests involved as well as methods for getting more accurate results, as well as how to deal with more complex characters. This heuristic approach allows hackers to crack long and complicated passwords quicker.
Password strength is the likelihood that a password cannot be guessed or discovered, and varies with the attack algorithm used. Cryptologists and computer scientists often refer to the strength or ‘hardness’ in terms of entropy.
Entropy is a measure of unpredictability of information content.
It is usual in the computer industry to specify password strength in terms of information entropy, measured in bits, a concept from information theory. Instead of the number of guesses needed to find the password with certainty, the base-2 logarithm of that number is given, which is the number of “entropy bits” in a password. A password with, say, 42 bits of strength calculated in this way would be as strong as a string of 42 bits chosen randomly, say by a fair coin toss. Put another way, a password with 42 bits of strength would require 242 attempts to exhaust all possibilities during a brute force search. Thus, adding one bit of entropy to a password doubles the number of guesses required, which makes an attacker’s task twice as difficult. On average, an attacker will have to try half of the possible passwords before finding the correct one.
Entropy is defined in the context of a probabilistic model. Independent fair coin flips have entropy of 1 bit per flip. A source that always generates a long string of Bs has entropy of 0, since the next character will always be a ‘B’.
NIST Special Publication 800-63 suggests the following scheme to roughly estimate the entropy of human- generated passwords
- The entropy of the first character is four bits;
- The entropy of the next seven characters are two bits per character;
- The ninth through the twentieth character has 1.5 bits of entropy per character;
- Characters 21 and above have one bit of entropy per character.
- A “bonus” of six bits is added if both upper case letters and non-alphabetic characters are used.
- A “bonus” of six bits is added for passwords of length 1 through 19 characters following an extensive dictionary check to ensure the password is not contained within a large dictionary. Passwords of 20 characters or more do not receive this bonus because it is assumed they are pass-phrases consisting of multiple dictionary words.
Guidelines for Strong Passwords
- A minimum password length of 12 to 14 characters if permitted
- Generating passwords randomly where feasible
- Avoiding passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors’ names or dates)
- Including numbers and symbols in passwords if allowed by the system
- If the system recognizes case as significant, using capital and lower-case letters
- Avoiding using something that the public or workmates know one strongly likes or dislikes
1. William Stallings, Network Security Essentials: Applications and Standards, Pearson Education
2. Daniel Minoli | Emma Minoli, Web Commerce Technology Handbook, Tata McGraw-Hill
3. Mark Nicolett, Manage Passwords to Secure Your IT Environment, Gartner
4. Ray Wagner | Ant Allan | Jay Heiser, Management Update: Eight Security Practices Offer More Value Than Pass-word Aging, Gartner
5. Gery Menegaz, Brute Force Attacks: Beyond password basics, ZDNet.com
6. Password cracking – Wikipedia, the free encyclopedia
About the Author
Kishor Sonawane and Satish Chinchorkar
(Varutra Consulting) – Article written for Pentest Magazine May 2014 issue.