- Email: [email protected]
Password control
Computer Fraud & Security Bulletin
that all a test does is prove that recovery works for the test situation. Testing will improve the possibility that the recovery will work. The trick in carrying out tests is to know how much testing to do. The message for disaster recovery planning today is that recent events show that disaster recovery is an ongoing process which must reflect not only differing risks, but also changing business needs. Be prepared’ is a wise move, but ‘being prepared’ means ongoing awareness of recovery criteria and maintenance of the disaster recovery scenario for the organization.
PASSWORD CONTROL L. G. Lawrence Introduction Some time ago, Cresson Wood [l] proposed administrative controls for password-based access controls. Most of the general statements and the overall tenor of that paper provided a sound security policy and administrative approach. However, at a detailed level the description indicated a greater familiarity with the native VAX concepts of control by accounts than with access list or rule based systems such as RACF or ACF2 on IBM/MVS systems or even VAXNMS Access Control Lists (ACL). More recently an article by Salamone [2] (among many recent articles of a like nature) pointed out that the attacks by the Robert Morris Worm were based on the easily guessed nature of passwords used on Internet. The article continued to discuss a program called Password Coach written by Charles Cresson Wood to apply a number of tests to user selected passwords to avoid these problems. Highland [3] cites a study in a government agency where passwords were user initials (40%), or even the space bar (10%). In fact, 74% of users had three characters or less and the security administrators had no tools for controlling passwords and no programme of user education.
16
July 1993
Many authors and security people are questioning the validity of using passwords to identify people who wish to access systems, and who cite the Robert Morris case and the Marcus Hess case investigated by Clifford Stall, where dictionaries were used to encrypt and compare, as evidence of the need to do away with passwords and replace them with tokens and, in particular, smart cards. Some have not gone to this extent, but suggested that passwords be centrally generated by the security administrator and distributed. Because the password approach is generally the cheapest identification method available, it seems warranted to revisit some of the questions of password administration and look at how users may be encouraged to use stronger passwords in a way that they can remember. Perhaps we can admit that people may feel safer writing down something rather than remembering it and provide suggestions which will allow these people to write down clues to their current password which only they can apply. In 1984, Barton and Barton [4] discussed user-friendly password methods from aviewpoint of the psychological aspects of memory. They suggested that we need to cater for personal preferences and base procedures on user experience in conjunction with memory aids. They admitted that the approaches they suggested were not as secure as envisioned in system-orientated theory, but suggested that they would be operationally superior to many chosen. It is suggested here that little extension of these concepts has been done and that education of users has been insufficient to make them aware of the ways they could improve their choices assuming that they are sufficiently aware of the security implications and the personal implications of individual accountability which the password addresses. This article aims to put some possibilities together for both user education and password selection which might help improve password orientated systems even where tokens or other aids are used as secondary authenticators.
01993
Elsevier Science Publishers
Ltd
Computer Fraud & Security Bulletin
July 1993
environments where the user is really the owner of the information resource.
The user environment User passwords are in vogue in all manner of organizations from those with a few people using a PC, through those with LANs to large mainframes with thousands of users in organizations with maybe tens of thousands of employees. There are several consequences of size which need to be taken into account. 1.
2.
3.
4.
People move around inside an organization, not just into and out of it. Consequently, the user’s need for access to resources changes in ways that are not satisfactorily met by adding new capabilities. Additionally, there is often a to and fro movement for acting duties or short term secondment, and hence the one person needs multiple sets of access rights that may need to be mutually exclusively employed, or might need to be selected for other reasons. Tendencies have been to give the user multiple user-IDS with different passwords for each. Of course the user writes down these multiple combinations as they become too difficult to remember.
An implication of this is that users normally fall into groups performing similar jobs and needing access to the same resources. This grouping is a necessary consequence of the work organization, not simply a matter of administrative convenience, but there is an administrative aspect of who will advise users of password needs and assist them to overcome problems of forgotten passwords. 5.
It is necessary for some roles to be short-term, such as training course attendance or temporary staff employment. Observation indicates that this is often handled as a faxed user-ID under the control of the manager who sets and issues the password. Who is to say who used one of these to gain unauthorized access? Increasingly, the role of a person in relation to an organization changes over the person’s life. These roles include customer, employee, ex-employee, superannuant, supplier, business partner, adviser, government official and probably others. Rights of access usually belong to the job that is done or the role that is played. Only rarely is there a need to grant rights to an individual per se, rather than the individual as a holder of a position. Where such access is needed it is likely to be for trouble shooting purposes for a limited time, or in research
01993 Elsevier Science Publishers Ltd
The use of computer systems needs to be allocated equitably and costed. In some cases there are statutory needs to cost out a particular area of the business. (For example, in Australia, insurance companies must be able to cost out and report on types of business.) As a consequence there are several entities involved in the resource allocation. There is the user who requests the work, the job or usergroup on whose behalf the work was done, the job or usergroup which handles the output, and the accounting code indicating cost allocation to be performed for each component of the work. When any particular piece of work is done there is a fixed group and a fixed account. However, each user is a unique person, the user belongs to one or more work groups, and one or more work groups may share an account code. None of these three entities can be considered as secret. What must be controlled is not the names but the relationships between them. Passwords on accounts are not meaningful and can easily be discovered or broken.
6.
Generally, a user may swap tasks around during a day and may need to move from office to office carrying out a task.
7.
Work may be submitted at one time and processed at some later time when the user is not present. This causes problems of how to identify the user responsible for the work and how to protect that identification.
17
Computer Fraud & Security Bulletin
The
of these
Julv 1993
l
significant
dates
such
as birthdays
and
anniversaries:
multiple passwords problems system. be
in terms
multiple identifiers
l
the person’s own names;
of setting up a good rules need to of minimum length,
and maximum change times, and character selection as well. With in place we can have a these one-user-one-current-password situation which
l
in-jokes which give rise to punch lines or key phrases.
minimum
users will find easier to manage, and the problem area comes down to how to select a memorable password. There are some exceptions to this situation passwords are kept accessible to an administrator. different within the sub-system and provide users with ways they can keep a couple of passwords concurrently.
There are several convenient ways of using these memorable things to select a password, which we will look at, but the starting point is a string of characters that the user can remember, compressed with no spaces between them. The objectives in the following sections are to suggest mechanisms that may be used singly or together to produce many passwords which resist dictionary searches, but which may repeat after some reasonable time in such as way that information can be written down. We thus avoid the problems while recognizing that people do feel more comfortable with something written down.
Password selection techniques There have been several attempts to provide passwords for the user. These range from random character string generation to providing choices for the user to select. Such approaches suffer from the fact that they have nothing to do with the user and hence become difficult to remember. Following the Bartons’ suggestion we need to ensure that the mechanism is personal. It is the proposition of this article that if this concept is the basis of password selection then it is a matter of how they are used and not of preventing choice. It fact, if the method of use is sound, the individual may write down clues to what the current passwords are without fear of discovery by guesswork (trial and error). What then can be used that is likely to be personal? Some possibilities are:
l
l
18
favourite things, whether they be songs, books, poems, people or anything which the person is unlikely to forget and which others are unlikely to guess; unforgettable phrases that have meaning for the person concerned;
Selection The simplest way is perhaps to select a string of suitable length from the key phrase. For example, if the favourite film was ‘Gone with the Wind’, one could select say 4,6 to indicate starting from character 4 and going for 6 characters, hence ‘ewitht’. If the choice is a poem or song the phrase is usually longer than a film title and hence selection can give a lot more passwords without repetition. Another selection technique which takes a bit more time to work out would be to start at a particular position and select every ‘nth’ character until asufficient number is reached. For example, 3,2,6 with the phrase above would yield ‘nwttei’. A similar approach the author has used involves a long phrase considered as groups of four and select specific blocks to give an eight character password. Using the same phrase as above 2,4 would yield ‘withindg’. Note that in this case the phrase is considered repeated as many times as is needed to produce the password. To get smarter on these approaches one can also go backwards and indicate this with a negative number. For example -3,6 could indicate starting
01993
Elsevier Science Publishers
Ltd
Computer Fraud & Security Bulletin
Julv 1993
at the third from last character and going forward for six, while -3, -6 could indicate continuing to go backwards from the selection point. Slide rule This group of techniques uses two phrases and slides them against each other. To help remember the algorithm it is better to consider one phrase as a key and measuring point. If we had ‘gonewiththewind’ as one phrase and ‘1357’ (prime numbers under 10) as the other we could express the selection process as 3 for starting at ‘n’ and assuming the second string starts at this point; 1,l to indicate one from each string; and 6 for the length. That is we could write 3,l ,1,6 and mean ‘nle3w5’, or perhaps 3,2,1,6 to mean ‘nel wi3’. The author has used a variant of this technique to cover access to multiple systems at multiple sites. By keeping a list of place, date and code numbers it was relatively easy to cope with discontinuous usage of a large number of passwords. Of course it is easier if passwords are synchronized, so I usually brought an old one up to date with the latest at another location. Simple encryption This process adopts a translation of the pass phrase in a variable manner. At its simplest we can use the starting point and number of characters as above and add a number to indicate shifting one letter backwards or forwards in the alphabet (or number sequence). The letters HAL taken forward one letter become IBM (Arthur C. Clarke denies this was intentional when choosing the name of the computer in 2001). If we take ‘gonewiththewind’, then, say, 3,6,1 yields ‘ofxjui’. In a meeting of cryptanalysts the author chose a relatively simple phrase and took the first letter one forward, the second two back, the third three forward, and so on. That no-one had worked out the algorithm by the time the conference ended indicates that such schemes can provide a relatively high degree of protection from the average hacker, and probably by the time it was broken the password could have been changed or the algorithm shifted.
01993 Elsevier Science Publishers Ltd
Key shifts Another technique to disguise the phrase used is the key shift approach. In this we choose out of our phrase by any means we like and then take the character above it on the keyboard. If 3,6 with ‘gone-withthewind’ gave us ‘newith’ we would key in ‘h3265y’. Again, one could choose two rows up by allowing cycling. In our example this gives ‘ycx,b6’. These more complex transpositions based on keyboards can, of course, only work if the system can accept some punctuation characters in the password. They also require that numbers and letters be acceptable in any position. Conclusions What we have shown is that it is possible to allow people to select things which are memorable to them and can allow the writing down, not of passwords themselves, but of keys to the use of an algorithm to select from a hidden phrase. We have also seen that these techniques can create multiple passwords (for multiple applications or systems or just over time) with a reasonable degree of resistance from cracking. Thus it is suggested that with a little user education, the passwords systems, which are cheap to implement, can have a extended life even though adding tokens or smart cards might well add considerable strength and should be used when it is possible to place reliance on the user’s password. This discussion is centred around the user identification password which it is contended is the only really valid use of passwords that has any chance of success if tied to the user’s preferences. References 1.
C. Cresson Wood, “Administrative Controls for Password-based Computer Accesses Control Systems”, Computer Fraud 8 Security Bulletin, Vol8. No. 3 (1986) p. 5.
2.
S. Salamone, “A guessable password is worse than useless’, Computerworld Australia, 6th December 1991, p. 32.
3.
H.J. Highland, “If the Passwords Anything Goes’, It’s Your Loss”, Government Computer News, 29 October 1990.
4.
B.F. Barton and MS. Barton, “User-friendly Password Methods for Computer-Mediated Information Systems’, Computers & Security, Vol. 3 (1964). p, 166.
5.
S.J. Ross and L. Chalmers, “Passwords, User-IDS, and Security Codes”, Journal of Information Systems Management, Spring 1968, p. 16.
19
that all a test does is prove that recovery works for the test situation. Testing will improve the possibility that the recovery will work. The trick in carrying out tests is to know how much testing to do. The message for disaster recovery planning today is that recent events show that disaster recovery is an ongoing process which must reflect not only differing risks, but also changing business needs. Be prepared’ is a wise move, but ‘being prepared’ means ongoing awareness of recovery criteria and maintenance of the disaster recovery scenario for the organization.
PASSWORD CONTROL L. G. Lawrence Introduction Some time ago, Cresson Wood [l] proposed administrative controls for password-based access controls. Most of the general statements and the overall tenor of that paper provided a sound security policy and administrative approach. However, at a detailed level the description indicated a greater familiarity with the native VAX concepts of control by accounts than with access list or rule based systems such as RACF or ACF2 on IBM/MVS systems or even VAXNMS Access Control Lists (ACL). More recently an article by Salamone [2] (among many recent articles of a like nature) pointed out that the attacks by the Robert Morris Worm were based on the easily guessed nature of passwords used on Internet. The article continued to discuss a program called Password Coach written by Charles Cresson Wood to apply a number of tests to user selected passwords to avoid these problems. Highland [3] cites a study in a government agency where passwords were user initials (40%), or even the space bar (10%). In fact, 74% of users had three characters or less and the security administrators had no tools for controlling passwords and no programme of user education.
16
July 1993
Many authors and security people are questioning the validity of using passwords to identify people who wish to access systems, and who cite the Robert Morris case and the Marcus Hess case investigated by Clifford Stall, where dictionaries were used to encrypt and compare, as evidence of the need to do away with passwords and replace them with tokens and, in particular, smart cards. Some have not gone to this extent, but suggested that passwords be centrally generated by the security administrator and distributed. Because the password approach is generally the cheapest identification method available, it seems warranted to revisit some of the questions of password administration and look at how users may be encouraged to use stronger passwords in a way that they can remember. Perhaps we can admit that people may feel safer writing down something rather than remembering it and provide suggestions which will allow these people to write down clues to their current password which only they can apply. In 1984, Barton and Barton [4] discussed user-friendly password methods from aviewpoint of the psychological aspects of memory. They suggested that we need to cater for personal preferences and base procedures on user experience in conjunction with memory aids. They admitted that the approaches they suggested were not as secure as envisioned in system-orientated theory, but suggested that they would be operationally superior to many chosen. It is suggested here that little extension of these concepts has been done and that education of users has been insufficient to make them aware of the ways they could improve their choices assuming that they are sufficiently aware of the security implications and the personal implications of individual accountability which the password addresses. This article aims to put some possibilities together for both user education and password selection which might help improve password orientated systems even where tokens or other aids are used as secondary authenticators.
01993
Elsevier Science Publishers
Ltd
Computer Fraud & Security Bulletin
July 1993
environments where the user is really the owner of the information resource.
The user environment User passwords are in vogue in all manner of organizations from those with a few people using a PC, through those with LANs to large mainframes with thousands of users in organizations with maybe tens of thousands of employees. There are several consequences of size which need to be taken into account. 1.
2.
3.
4.
People move around inside an organization, not just into and out of it. Consequently, the user’s need for access to resources changes in ways that are not satisfactorily met by adding new capabilities. Additionally, there is often a to and fro movement for acting duties or short term secondment, and hence the one person needs multiple sets of access rights that may need to be mutually exclusively employed, or might need to be selected for other reasons. Tendencies have been to give the user multiple user-IDS with different passwords for each. Of course the user writes down these multiple combinations as they become too difficult to remember.
An implication of this is that users normally fall into groups performing similar jobs and needing access to the same resources. This grouping is a necessary consequence of the work organization, not simply a matter of administrative convenience, but there is an administrative aspect of who will advise users of password needs and assist them to overcome problems of forgotten passwords. 5.
It is necessary for some roles to be short-term, such as training course attendance or temporary staff employment. Observation indicates that this is often handled as a faxed user-ID under the control of the manager who sets and issues the password. Who is to say who used one of these to gain unauthorized access? Increasingly, the role of a person in relation to an organization changes over the person’s life. These roles include customer, employee, ex-employee, superannuant, supplier, business partner, adviser, government official and probably others. Rights of access usually belong to the job that is done or the role that is played. Only rarely is there a need to grant rights to an individual per se, rather than the individual as a holder of a position. Where such access is needed it is likely to be for trouble shooting purposes for a limited time, or in research
01993 Elsevier Science Publishers Ltd
The use of computer systems needs to be allocated equitably and costed. In some cases there are statutory needs to cost out a particular area of the business. (For example, in Australia, insurance companies must be able to cost out and report on types of business.) As a consequence there are several entities involved in the resource allocation. There is the user who requests the work, the job or usergroup on whose behalf the work was done, the job or usergroup which handles the output, and the accounting code indicating cost allocation to be performed for each component of the work. When any particular piece of work is done there is a fixed group and a fixed account. However, each user is a unique person, the user belongs to one or more work groups, and one or more work groups may share an account code. None of these three entities can be considered as secret. What must be controlled is not the names but the relationships between them. Passwords on accounts are not meaningful and can easily be discovered or broken.
6.
Generally, a user may swap tasks around during a day and may need to move from office to office carrying out a task.
7.
Work may be submitted at one time and processed at some later time when the user is not present. This causes problems of how to identify the user responsible for the work and how to protect that identification.
17
Computer Fraud & Security Bulletin
The
of these
Julv 1993
l
significant
dates
such
as birthdays
and
anniversaries:
multiple passwords problems system. be
in terms
multiple identifiers
l
the person’s own names;
of setting up a good rules need to of minimum length,
and maximum change times, and character selection as well. With in place we can have a these one-user-one-current-password situation which
l
in-jokes which give rise to punch lines or key phrases.
minimum
users will find easier to manage, and the problem area comes down to how to select a memorable password. There are some exceptions to this situation passwords are kept accessible to an administrator. different within the sub-system and provide users with ways they can keep a couple of passwords concurrently.
There are several convenient ways of using these memorable things to select a password, which we will look at, but the starting point is a string of characters that the user can remember, compressed with no spaces between them. The objectives in the following sections are to suggest mechanisms that may be used singly or together to produce many passwords which resist dictionary searches, but which may repeat after some reasonable time in such as way that information can be written down. We thus avoid the problems while recognizing that people do feel more comfortable with something written down.
Password selection techniques There have been several attempts to provide passwords for the user. These range from random character string generation to providing choices for the user to select. Such approaches suffer from the fact that they have nothing to do with the user and hence become difficult to remember. Following the Bartons’ suggestion we need to ensure that the mechanism is personal. It is the proposition of this article that if this concept is the basis of password selection then it is a matter of how they are used and not of preventing choice. It fact, if the method of use is sound, the individual may write down clues to what the current passwords are without fear of discovery by guesswork (trial and error). What then can be used that is likely to be personal? Some possibilities are:
l
l
18
favourite things, whether they be songs, books, poems, people or anything which the person is unlikely to forget and which others are unlikely to guess; unforgettable phrases that have meaning for the person concerned;
Selection The simplest way is perhaps to select a string of suitable length from the key phrase. For example, if the favourite film was ‘Gone with the Wind’, one could select say 4,6 to indicate starting from character 4 and going for 6 characters, hence ‘ewitht’. If the choice is a poem or song the phrase is usually longer than a film title and hence selection can give a lot more passwords without repetition. Another selection technique which takes a bit more time to work out would be to start at a particular position and select every ‘nth’ character until asufficient number is reached. For example, 3,2,6 with the phrase above would yield ‘nwttei’. A similar approach the author has used involves a long phrase considered as groups of four and select specific blocks to give an eight character password. Using the same phrase as above 2,4 would yield ‘withindg’. Note that in this case the phrase is considered repeated as many times as is needed to produce the password. To get smarter on these approaches one can also go backwards and indicate this with a negative number. For example -3,6 could indicate starting
01993
Elsevier Science Publishers
Ltd
Computer Fraud & Security Bulletin
Julv 1993
at the third from last character and going forward for six, while -3, -6 could indicate continuing to go backwards from the selection point. Slide rule This group of techniques uses two phrases and slides them against each other. To help remember the algorithm it is better to consider one phrase as a key and measuring point. If we had ‘gonewiththewind’ as one phrase and ‘1357’ (prime numbers under 10) as the other we could express the selection process as 3 for starting at ‘n’ and assuming the second string starts at this point; 1,l to indicate one from each string; and 6 for the length. That is we could write 3,l ,1,6 and mean ‘nle3w5’, or perhaps 3,2,1,6 to mean ‘nel wi3’. The author has used a variant of this technique to cover access to multiple systems at multiple sites. By keeping a list of place, date and code numbers it was relatively easy to cope with discontinuous usage of a large number of passwords. Of course it is easier if passwords are synchronized, so I usually brought an old one up to date with the latest at another location. Simple encryption This process adopts a translation of the pass phrase in a variable manner. At its simplest we can use the starting point and number of characters as above and add a number to indicate shifting one letter backwards or forwards in the alphabet (or number sequence). The letters HAL taken forward one letter become IBM (Arthur C. Clarke denies this was intentional when choosing the name of the computer in 2001). If we take ‘gonewiththewind’, then, say, 3,6,1 yields ‘ofxjui’. In a meeting of cryptanalysts the author chose a relatively simple phrase and took the first letter one forward, the second two back, the third three forward, and so on. That no-one had worked out the algorithm by the time the conference ended indicates that such schemes can provide a relatively high degree of protection from the average hacker, and probably by the time it was broken the password could have been changed or the algorithm shifted.
01993 Elsevier Science Publishers Ltd
Key shifts Another technique to disguise the phrase used is the key shift approach. In this we choose out of our phrase by any means we like and then take the character above it on the keyboard. If 3,6 with ‘gone-withthewind’ gave us ‘newith’ we would key in ‘h3265y’. Again, one could choose two rows up by allowing cycling. In our example this gives ‘ycx,b6’. These more complex transpositions based on keyboards can, of course, only work if the system can accept some punctuation characters in the password. They also require that numbers and letters be acceptable in any position. Conclusions What we have shown is that it is possible to allow people to select things which are memorable to them and can allow the writing down, not of passwords themselves, but of keys to the use of an algorithm to select from a hidden phrase. We have also seen that these techniques can create multiple passwords (for multiple applications or systems or just over time) with a reasonable degree of resistance from cracking. Thus it is suggested that with a little user education, the passwords systems, which are cheap to implement, can have a extended life even though adding tokens or smart cards might well add considerable strength and should be used when it is possible to place reliance on the user’s password. This discussion is centred around the user identification password which it is contended is the only really valid use of passwords that has any chance of success if tied to the user’s preferences. References 1.
C. Cresson Wood, “Administrative Controls for Password-based Computer Accesses Control Systems”, Computer Fraud 8 Security Bulletin, Vol8. No. 3 (1986) p. 5.
2.
S. Salamone, “A guessable password is worse than useless’, Computerworld Australia, 6th December 1991, p. 32.
3.
H.J. Highland, “If the Passwords Anything Goes’, It’s Your Loss”, Government Computer News, 29 October 1990.
4.
B.F. Barton and MS. Barton, “User-friendly Password Methods for Computer-Mediated Information Systems’, Computers & Security, Vol. 3 (1964). p, 166.
5.
S.J. Ross and L. Chalmers, “Passwords, User-IDS, and Security Codes”, Journal of Information Systems Management, Spring 1968, p. 16.
19