UNIX Password Security Walter Belgers walter at giga.win.tue.nl December 6, 1993 1. Introduction This document was written to make system administrators aware of the importance of well-chosen passwords. Easy-to-guess passwords offer hackers the possibility to enter a system. (`Crackers' is a better term, because `hackers' is historically reserved for people who take the most out of their computer because of their great knowledge of soft- or hardware. I will continue to use the term `hacker' because this is common in literature.) More and more computers are being connected to the world-wide Internet (the latest estimations speak of about 1.5 billion systems). This means there will be more and more users, and therefore more and more hackers. By means of good password-security, one can protect a system from newbie hackers. There are many types of systems, and every one has a lot of security aspects to it. I will restrict myself to the password-security of UNIX systems. The reason being that UNIX systems are very popular, especially in an educational environment, where one can expect an increased concentration of hackers due to the openness that is appreciated in such environments. This is in contrast to a commercial environment, where data has to be protected. E.g. against competitors. There are many ways to hack a UNIX system, and there are many programs for finding a user's password. These programs can be used by people who have little knowledge of UNIX. Choosing good passwords can therefore help in keeping newbie hackers out. (`Advanced hackers' are often capable of entering a system without using passwords. This implies that the security of a system depends not solely on well-chosen passwords.) Besides the importance of good passwords (i.e. not easily guessable) we will take a look at how they work. Next we will see an actual example which shows how bad passwords are usually chosen. To conclude I will give several methods for choosing good passwords. 2. The importance of good passwords The goal of a hacker is usually obtaining the superuser-status (`root'). The normal strategy to do this is using badly installed software, bugs in (system)software and human errors. There are several ways to hack a computer, but most ways require extensive knowledge. A (relatively) easy way is logging in as a normal user and searching the system for bugs to become superuser. To do this, the hacker will have to have a valid usercode/password combination to start with. It is of utmost importance that all (!) users on a system choose a password that is not easy to guess. The security of each individual user is closely related to the security of the whole system. Users often have no idea how a multi-user system works and don't realise that they, by choosing an easy to remember password, indirectly make it possible for an outsider to manipulate the entire system. It is essential to educate the users well to avoid attitudes like the one described in [Muf]: "It doesn't matter what password I use on _MY_ account, after all, I only use it for laserprinting...". The users have to get involved with the security of the system they are working on. In [Pet] we read "Users have a responsibility to employ available security mechanisms and procedures for protecting their own data. They also have a responsibility for assisting in the protection of the systems they use". It also says that it is important to notify the users of the security guidelines. A solution might be giving new users a limited course. Or at least make them understand why good passwords are essential. This can be done e.g. when a user gets his or her initial password from the system administrator. 3. How a hacker finds a password Most UNIX systems don't use the so-called shadow passwordfiles which we will look at in a moment. In most cases, the passwords are stored encrypted in the file /etc/passwd, or, if the system is a client, on the server. In the latter case, one can get the passwordfile by giving the command `ypcat passwd'. A line from the passwordfile looks like this: account:coded password data:uid:gid:GCOS-field:homedir:shell A user with account gigawalt, crypted password fURfuu4.4hY0U, userid 129 (a user with userid 0 (of which there can be more than one) is superuser), groupid 129, information (GCOS) Walter Belgers, homedirectory /home/gigawalt and shell /bin/csh will have an entry in /etc/passwd like this: gigawalt:fURfuu4.4hY0U:129:129:Walter Belgers:/home/gigawalt:/bin/csh Things are a bit different when a shadow passwordfile is being used. All coded password data is replaced with a `*' in /etc/passwd, and a second file (the shadowfile) is used to store the original data. This file can only be read with sufficient privileges so that normal users cannot get the crypted passwords. Passwords are being crypted using the DES algorithm. DES (`Data Encryption Standard') is an American encryption standard since 1979. With DES it is possible to encrypt and decrypt data using a key. UNIX password encryption uses the DES algorithm 25 times in a row. The first DES round uses 64 0-bits as input and encrypts them with the password the user inputs, with a permutation taking place during the encryption process. There are 4096 possible permutations. The permutation used is randomly chosen for each user. The chosen permutation is coded into two bytes called `salt'. The salt is stored in the passwordfile. The output is used as input for the next DES round, which uses the same key and permutation. This process repeats until there is a final output from the 25th DES round. This output is coded into eleven bytes which are put in the passwordfile. So the coded password data in the passwordfile consists of thirteen bytes, first the salt and then the encrypted password. This method of encryption is almost irreversible, which means that it is easy to encrypt a string, but it is impossible to find the original of a string encrypted in the way described above, except by systematically trying out all possible keys and salts. (By impossible we mean here that there is no known method that does this quicker.) It is however possible to find the original of a string encrypted using _single_ DES. For more information concerning single DES encryption see [Til]. If it's impossible to decrypt the encrypted password, how can a user log in? This works as follows: the user inputs his or her password which is used as key to crypt 64 0-bits using the aforementioned method, using the salt as it can be found in the passwordfile for that particular user. If the output corresponds to the eleven bytes that represent the crypted password in the passwordfile the password is considered valid and the user will be permitted to access the system. For more information on the precise working of DES on UNIX see [Fel2]. Schematically it looks like this: ---------------- (salt) | 25x DES | <---------------vv 64 0-bits ----> | encryption | ---- fURfuu4.4hY0U ------ ---------------- | (from /etc/passwd) | ^ | | | (key) -------------> Rfuu4.4hY0U -----| | (result) | | | inputted password | --------------------------------- | --> correspondance: password accepted As I just pointed out it is not possible (in real life) to decrypt passwords. However, it is possible to encrypt 64 0-bits with some words and see if the result `incidentally' is the password. Then the account is hacked. One could remark that it must be possible to check all possible passwords this way. However, this would take the fastest computer longer than the time the universe exists. By trying out only passwords consisting of six lowercase characters, it becomes possible to try out all combinations in reasonable time, provided one has an extremely powerful computer. The latest record for passwords consisting of six lowercase characters stands at one hour per user. Passwords of accounts that are attractive to hackers (the ones with a lot of privileges) should therefore never consist solely of lowercase characters! We see that the usual way to find passwords is by guessing them. So you have to make sure users do not use easy-to-guess passwords, i.e. passwords that can be found in lists (a dictionary, an encyclopedia, files with astronomical terms, flora and fauna, etc.). It is very easy to obtain such lists via the Internet. Suppose a line from the passwordfile looks like this: gigawalt:fURfuu4.4hY0U:129:129:Walter Belgers:/home/gigawalt:/bin/csh Then passwords that should NOT be used are e.g.: . all English words and derivatives (so `laugh', `laughs', `laughing', etc.) . all words from a foreign language (it is easy to get foreign dictionaries) . words that can be found in the passwordfile itself like Walter, Belgers, gigawalt, etc. . patterns like 123456, qwerty, etc. . geographical names . words from an encyclopedia (`Socrates') . the license plate of a car, the roomnumber, the phonenumber or other things that have something to do with the owner of the account . given names . variations of these (walter, WALTER, retlaw, Walter, wAlter, walter0, walt3r, Retlaw4,...) Also take into account doubling words or adding a random character. 4. An actual example To show how users choose their passwords badly, I used a password guessing program on a passwordfile of a system in operation. The program I used was Crack v4.1 with ufcrypt (ultra-fast crypt, a fast implementation of the DES algorithm) on a network of SUN ELC computers. The performance of these computers (20 MIPS) is comparable to that of a modern PC. The program was stopped before it was finished after almost 60 hours. The passwords that were found were found within the first 25 hours. Results: Type of machines: 11x SUN ELC Total number of accounts: 521 Number of hacked accounts: 58 (11.1%) (with interactive shell 56 (10.7%)) Total time 59:13 (real time, not CPU time) 1 lists 42 (7.2%) 2 common names 1 (0.2%) 3 user/account name 5 (0.9%) 4 phrases and patterns 3 (0.5%) 5 women's names 2 (0.3%) 6 men's names 4 (0.7%) 7 cities 1 (0.2%) Passwords found: . cyclades, paardens, fiesta, regen, gnosis, police, fuselier, ballon, smaragd, marques, farao, kasteel, valent, adagio, clematis, gehannes, koeien, gnomen, onderkin, zeilboot, druppel, fietsen, testen, marathon, tamtam, global, vrijheid, wolf, kwiek, basket, stones, klomp9, fiets9, Zoutje, Biefstuk, neenee, tnbrg (this is `tonbrug' without vowels). . fischer. . guest had password guest. This is not a user's fault of course, but the fault of the system administrator. It has to be seen whether or not logging in as `guest' with password `guest' is criminal in the Netherlands. . qwerty, unesco. . heather, joanne. . piet, atilla, Frans2, vatsug (this is `gustav' spelled backwards). . adelaide. Some people have studied the amount of passwords that is easily guessable in the past. In [Kle] Daniel Klein finds 21% of 15,000 passwords using one week CPU time. The first 2.7% was found within 15 minutes (people who used their account as password, e.g. account gigawalt, with password gigawalt). The categories in which over 1% of the 15,000 passwords were found are: lists 7,4% common names 4,0% user/account name 2,7% phrases and patterns 1,8% women's names 1,2% men's names 1,0% machinenames 1,0% Comparing these results to the ones above is of little use because of the limited extent of this investigation. A somewhat more extensive research (see [Far]) was concerned with passwordfiles of several .COM systems (computers owned by US companies). One would expect companies to have good security measurements, but the passwords kept coming in, with the first root-password (!) after little more than an hour. (There was a total of 1594 passwords of which 50 had been guessed within 15 minutes, and 90 after 35 minutes.) 5. Picking good passwords The above illustrates the importance of a good password for every user. We will look at some methods for choosing good passwords. A good password consists of 8 characters (a UNIX password can be up to eight characters, any extra characters will be discarded, making the passwords `Still won't talk, eh, Spiff?' and `Still wo' mutually interchangable). It has to be hard to guess but easy to remember, because otherwise, users will be tempted to write down their password which totally takes away the function of a it. Pick a password that not only consists of just upper- or lowercase characters, or only one capital (`seCret' is thus a bad password). It is preferable to use a non-alfanumeric character in the password (%,=,*, etc.). The use of control characters is possible, but not all control characters can be used, and it can give rise to problems with some networking protocols. A few methods: . Concatenate two words that together consist of seven characters and that have no connection to eachother. Concatenate them with a punctuation mark in the middle and convert some characters to uppercase. Examples: `Pit+idEa', `plOVer#me'. . Use the first characters of the words of a certain (not too common) sentence. When we use the sentence `My goldfish are called Justerini and Brooks!' as example, we would get the password `MgacJaB!'. (Also in this case make sure you use an eight-character password with uppercase characters and/or punctuation marks.) . Alternately pick a consonant and one or two vowels resulting in a pronouncable (and therefore easy to remember) word. Examples: `koDupaNy', `eityPOop'. 6. Reducing break-in possibilities It is important for users to have hard to guess but in the meantime easy to remember passwords. There are methods for generating such passwords. System operators should inform the users about the importance of good passwords. To reduce the risk of a break-in there are several possibilities: . Make sure the users know why a good password is important and how they can choose one. . Install a new /bin/passwd (or yppasswd) that checks whether the password is not too obvious (by checking if it contains punctuation marks, or by investigating if the password can be found in standard wordlists). . Install a shadow passwordfile (this involves changing some software). . Let passwords expire, for example after three months for regular users, after a month for users with extra privileges. The timespan a password lives should not be chosen too small. What will still exist is the danger of users using series of passwords, like `Secret1', `Secret2',... making it easy for a hacker to, once he has obtained a password, guess the successor. . Use a program that hacks passwords to check if some users have guessable passwords. Let those users visit you personally to inform them about the fact that a good password is everyone's concern. . Switch to single-use passwords (this is radical and requires some investments, see [Ven]). . Use passwords of accounts with privileges like that of root on the console only to avoid eavesdropping the network. When impossible, try to avoid logging in on such accounts from computers or terminals that are connected to a LAN segment on which people can easily and/or anonymously wiretap the network, like classrooms. . Keep in mind that total system security is as weak as the weakest chain. Also keep in mind that a system with good passwords alone is not yet a secure system. 7. Bibliography [Bel] Walter Belgers, Password Security - A Case Study (in Dutch), TimeWasters Online Magazine #5, march 9, 1993, can be obtained by sending email with Subject `TOM5' to timewasters-request at win.tue.nl. [Cur] David A. Curry, UNIX System Security, Addison-Wesley, 1992. [Far] Dan Farmer, Wietse Venema, Improving the Security of Your Site by Breaking Into it, USENET newsgroup comp.security.unix, can be obtained via ftp from ftp.win.tue.nl as /pub/security/admin-guide-to-cracking.Z, 1993. [Fel1] David C. Feldmeier, A High-Speed Software DES Implementation, can be obtained by anonymous ftp from thumper.bellcore.com as /pub/crypt/des.ps.Z, 1989. [Fel2] David C. Feldmeier, Philip R. Karn, UNIX Password Security - Ten Years Later, Proceedings of Advances in Cryptology - CRYPTO '89, 1989. [Kle] Daniel V. Klein, ``Foiling the Cracker'': A Survey of, and Improvements to, Password Security (revised paper), Proceedings of the USENIX Security Workshop, summer 1990. [Muf] Alec E. Muffet, Almost Everything You Wanted To Know About Security (but were afraid to ask!), USENET newsgroup alt.security. [Pet] R. Pethia, S. Crocker, B. Fraser, RFC1281: Guidelines for the Secure Operation of the Internet, november 1991. [Til] Henk C.A. van Tilborg, An Introduction to Cryptology, Kluwer Academic Publishers, 1988. [Ven] Wietse Venema, Using SecurID tokens in an open multi-host UNIX environment, can be obtained by anonymous ftp from ftp.nic.surfnet.nl as /surfnet/net-security/docs/securid.ps, 1993.