perry@MCL.UNISYS.COM (Dennis Perry) (11/09/88)
There has been some discussion regarding passwords and how people use 'silly' ones such as their name, etc. Left to thier own initiative, people will not come up with passwords which maximize their effectiveness. At Los Alamos, and here at Unisys, a program is available to generate pronouncable passwords, but composed at random. These password programs can be made to run inplace of the option of inputting your own. Each time you type the 'passwd' command, the system gives you a new one. If you don't like it, you can get another until you find one you lik These passwords are 8 characters long and difficult to guess, if not impossible, by a human, although I am sure that a machine could try. Along with passwords should be some monitoring of attempts to login. If the frequency is high then some attempt should be made to shut the login feature off for some period of time. At Los Alamos, with password checking, any attempt to login in that results in more than 3 failures results in that login name being 'blacklisted' and no further attempts are allowed. I stongly encourage everyone to use such a password generator and not allow people to generate their own passwords. Password aging is also something that could and probably should be done. If it is manual, once a year is probably enough. This allows people to memorize their passwords for a reasonable period of time. They can always request a new password if they believe that their password has been compromized. Better would be to age the password based on usage, rather than time. Even better would be smart cards which changed passwords each time one logged on, a one time password. Further, encryption of data based on a smart card and exchange of keys for periods of data short compared to decryption attack capability would be even better. There are lots of things that computers could do for us to make the systems we use more secure and add very little incovenience to our life style on the Internet or in the Academic environment. We just have to implement them. dennis
WANCHO@WSMR-SIMTEL20.ARMY.MIL ("Frank J. Wancho") (11/10/88)
Concerning pseudo-random, semi-pronounceable password generation,
please see RFC 972. The original algorithm was written in BASIC by
Paul D. Merillar and Arthur A. Key. The implementation in our PWDGEN
server, a variation of our local CHGPWD program, came from Sandia
Labs, written in FORTRAN, and uses a system-wide 36-bit seed rather
than a clock-based seed. Marshall Rose converted that program to C...
From your message, it seems that the algorithm has found its way
around, and that's good to see.
From the source code:
Basically "random pronounceable words" are built by alternating
Vowels and Consonants. However, there are "Digraphs", and these
are presorted according to END, MIDDLE, and START positions. Not
going into combinatorial analysis, with seven characters the
"possible" combinations exceed 20 Million. (I haven't computed
how many are possible with eight characters...)
--Franksteve@NOTE.NSF.GOV (Stephen Wolff) (11/15/88)
> I stongly encourage everyone to use such a password generator > and not allow people to generate their own passwords. Password generators may be ok, but the paswords they generate suffer from a dreadful sameness, and when you're trying to maintain accounts on a dozen or more machines without writing anything down... I strongly urge system administrators to publicize **and enforce** their rules for choosing passwords, and let folks pick their own. -s
ahill@CC5.BBN.COM ("Alan R. Hill") (11/15/88)
Dennis, Bravo! If adminstrators follow your advice the network systems will be 1000 times harder to penetrate. At least they will have done the minimum required effort to protect their systems. Security generally requires one's best effort to prevent and detect. It amazes me that we have to have yearly events of this type to convince people that the systems need improvement. I have known about the security holes in Unix for almost ten years. Regards, Alan
perry@MCL.UNISYS.COM (Dennis Perry) (11/15/88)
Steve, actually the password generator can be tuned to give passwords with different 'dialects'. We used the generator at Los Alamos to generate over 6000 passwords a year and I don't recall any of mine being the same or even close. One should note that if passwords are private, and not shared, the saem passwords can be used by different people and they are just as secure. This is similar to key for automobiles, there are only so many locks. My key probable works in a 1000 different cars, or more, but I don't know which ones. But, you are correct if you need your own password on a dozen different machines. In those cases, I would use a generator to generate my 'key' and than make the locks all the same, or at least minimize the number of keys I have to carry. Again, I think that eventually hardware smard cards are the answer to our lifestyle problems of too many keys. dennis
kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) (11/15/88)
In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> perry@MCL.UNISYS.COM (Dennis Perry) writes: > >At Los Alamos, and here at Unisys, a program is available to generate >pronouncable passwords, but composed at random. These password programs >can be made to run inplace of the option of inputting your own. Each >time you type the 'passwd' command, the system gives you a new one. If you >don't like it, you can get another until you find one you lik These >passwords are 8 characters long and difficult to guess, if not impossible, > >dennis Nice idea. Can you get this into Berkeley and Sun? :-) When I was at InterOp I stopped by the Sytek booth to look at their telnet server. I was not impressed, except by a neat little gizmo they had for their terminal server administrators. It looked like a calculator. To use it you enter a PIN, like at your favorite ATM machine. Then when you log onto a secure port to administer your Sytek terminal server, the login program gives you a sequence of numbers. You enter the numbers into the little gizmo and it gives you a bunch of numbers back. You enter these into the login program and you are in. Anyone catching this sequence over the net cannot duplicate it, they don't have the little calculator gizmo and your PIN. There must be a name for this kind of security system. Anyone know? Is this kind of system available elsewhere? How secure is this concept? I thought it sounded like it might be useful for system administrators. Kent England, Boston University
henry@utzoo.uucp (Henry Spencer) (11/16/88)
In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> perry@MCL.UNISYS.COM (Dennis Perry) writes: >... At Los Alamos, with password checking, any attempt to login >in that results in more than 3 failures results in that login name being >'blacklisted' and no further attempts are allowed. This feature, of course, opens up a nice "denial of service" attack: if you have access to the machine, and know somebody's login name, just try to login as them three times with nonsense passwords. Presto, they can't login until they go see the security people. Particularly useful if you have just broken into the system and want to keep the sysadmins off until you finish doing your dirty work. >I stongly encourage everyone to use such a password generator and not >allow people to generate their own passwords. Unfortunately, this opens up two other problems. First, a much higher probability that passwords will be written down rather than memorized. Second, some vulnerabilities if the password generator is poorly built, e.g. if it uses a 16-bit random-number generator! >Password aging is also something that could and probably should be done. But done well, not done poorly as it was in Unix System V. -- Sendmail is a bug, | Henry Spencer at U of Toronto Zoology not a feature. | uunet!attcan!utzoo!henry henry@zoo.toronto.edu
zeleznik@wasatch.UUCP (Michael Zeleznik) (11/16/88)
In article <26010@bu-cs.BU.EDU>, kwe@bu-cs.BU.EDU (kwe@bu-it.bu.edu (Kent W. England)) writes: > > When I was at InterOp I stopped by the Sytek booth to look at > their telnet server. I was not impressed, except by a neat little > gizmo they had for their terminal server administrators. It looked > like a calculator. To use it you enter a PIN, like at your favorite > ATM machine. Then when you log onto a secure port to administer your > Sytek terminal server, the login program gives you a sequence of > numbers. You enter the numbers into the little gizmo and it gives you > a bunch of numbers back. You enter these into the login program and > you are in. Anyone catching this sequence over the net cannot > duplicate it, they don't have the little calculator gizmo and your > PIN. > There must be a name for this kind of security system. Anyone > know? > Is this kind of system available elsewhere? How secure is > this concept? I thought it sounded like it might be useful for system > administrators. > > Kent England, Boston University This is generally called a one-time-password approach (analogous to cryptographic one-time-pads), or a personal password generator. There are different flavors, but the bottom line (as you point out) is that each login authentication number is different (can't be reused), and thus there aren't any passwords to keep secret, and you needn't protect the passwords while they are in use, since they can't be reused. Racal-Guardata (Orange, CA) makes the Watchword (this previously was the Sytek 'Passport' that you saw); host system issues a challenge, you type it into the small calculator with your PIN which gives you a response, you type that back to the system, and you are authenticated. Each challenge from the system is different, along with each response, so any response can not be reused by anyone. In addition to your normal PIN, there is a duress PIN; the Watchword will generate different responses depending on the PIN, so the remote system can tell if you are being forced to login, for example. We prototyped a version of the Sytek Passport for an application system, and it worked very nicely. Only problem was having to have this small calculator around, which is kind of a pain. If they put it in a true credit card unit, it would be great. Security Dynamics (Cambridge, MA) makes one that is time based, called the SecurID. A number on a credit card sized calculator changes every so many seconds, in sync with software on the host. Thus, you just type in the current displayed number. Again, the numbers are not repeated, so there is no need to encrypt anything. They claim to handle clock drift and such, but the last time I thought about this, it seemed there may be a window of vulnerability if you need to quickly login across a number of remote hosts. Another variation on this approach is a hand held device which reads the challenge directly from the CRT screen (number is encoded by modulating the light output by sending characters at encoded rates) and gives you the response which you type in. One manufacturer of this type is Gordian Systems, Palo Alto, CA, and the device is called the Gordian Systems Access Key. These systems are also capable of providing REVERSE authentication, having the system provide a challenge response pair, which you can verify on your personal hardware. Depending on the approach used, this can either be provided in the product, or would have to be user implemented. Even a system like Kerberos could use this in place of the fixed user password, to eliminate that vulnerability (the time interval while the password is stored in the user node before it is destroyed; if a trojan horse grabs it only once...). All three of these systems are in the NSA's evaluated products list, under sub-systems, but I have only looked at the condensed versions (in the INFOSEC Products and Services Catalogue), which don't say much. Since the authentication values can be very long and very random, most of the conventional "password" attacks are obviated. However, conventional cryptanalytic attacks are possible, and the quality of the cryptographic algorithm which generates the responses is the key to the security. The Watchword uses DES; the SecurID used a proprietary scheme the last I looked at it; don't know about the others. The Watchword (if not the others also) is in a tamper resistant enclosure. I'm not a cryptographer/cryptanalyst, so I can't really comment on the relative security of the algorithms. Clearly, the database of user key data is a major vulnerability, which must be protected. The NSA explicitly points this out for the Gordian Systems product. From what I remember, the SecurID product had the authentication server run on a physically isolated PC for that reason. Michael Zeleznik Computer Science Dept. University of Utah zeleznik@cs.utah.edu Salt Lake City, UT 84112 (801) 581-5617
jgm@kokab.cc.deakin.OZ (John Moorfoot) (11/16/88)
In article <26010@bu-cs.BU.EDU> kwe@bu-it.bu.edu (Kent England) writes: >In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> > perry@MCL.UNISYS.COM (Dennis Perry) writes: >> > When I was at InterOp I stopped by the Sytek booth to look at >their telnet server. I was not impressed, except by a neat little >gizmo they had for their terminal server administrators. It looked >like a calculator. To use it you enter a PIN, like at your favorite >ATM machine. Then when you log onto a secure port to administer your >Sytek terminal server, the login program gives you a sequence of >numbers. You enter the numbers into the little gizmo and it gives you >a bunch of numbers back. You enter these into the login program and >you are in. Anyone catching this sequence over the net cannot >duplicate it, they don't have the little calculator gizmo and your >PIN. > There must be a name for this kind of security system. Anyone >know? > Is this kind of system available elsewhere? How secure is >this concept? I thought it sounded like it might be useful for system >administrators. This sounds like PFX from Sytek. The s/w runs on a PC attached to a secure port on the host, and each user has a calculator which generates a response from a prompt issued from the server. It is as secure as the port to which the PC is attached. A host program asks the PC for a challenge for a user, and the PC returns the challenge and two possible responses. The calculator can be programmed to accept two separate PINs, and will give a response to the challenge dependant on the PIN entered. This provides an adiitional degree of security, as the second PIN can be used (for instance) if the user is under duress. The PC can be connected to a printer to provide an audit trail of operations on the PC database, and it can also provide a facility for disable a user for authentication without deleting the user's record. John Moorfoot ARPA: jgm%charlie.oz.au@uunet.uu.net UUCP: ...!uunet!munnari!charlie.oz!jgm
jim@cs.strath.ac.uk (Jim Reid) (11/17/88)
In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> perry@MCL.UNISYS.COM (Dennis Perry) writes: >.... description of a password generating program >I stongly encourage everyone to use such a password generator and not >allow people to generate their own passwords. This is probably not a good idea. Programs which generate passwords can all too easily generate a small number of potential passwords. All that an intruder needs to do is establish the algorithm used (no doubt based on a pseudo-random number generator) and then create a list of all the potential passwords that the program generates. That list - which might be quite small (say 50-100,000) - could then be encrypted and compared with the entries in the password file. This would only take a few hours CPU time to do. If all the user's passwords were forcibly chosen by a password generating program, the intruder would get every password on that computer! Insisting that people use password generating programs (or enforcing password ageing for that matter) is potentially dangerous. They give the illusion of security (having frequent password changes and/or "random" passwords) when in fact the choice of passwords in use is quite likely to be sub-optimal. Jim -- ARPA: jim%cs.strath.ac.uk@ucl-cs.arpa, jim@cs.strath.ac.uk UUCP: jim@strath-cs.uucp, ...!uunet!mcvax!ukc!strath-cs!jim JANET: jim@uk.ac.strath.cs "JANET domain ordering is swapped around so's there'd be some use for rev(1)!"
gillies@p.cs.uiuc.edu (11/17/88)
Password generators are a *nice idea*. But I wouldn't rush out and start using them without some thorough testing: (1) Can you give me *an estimate* of the number of pronounceable 8-character words? Will this program generate all of them? If not, exactly how many different words will it generate? (2) What if I know, to within 1 minute, the time of creation of the login (or last password change), and the password/random number algorithm. Can I exhaustively search for the password, assuming the random number generator gets its seed from the clock? (3) How *random* is the random number generator? What is the period of the generator? What is the approximate "loss of randomness" when mapping this number onto a password? (i.e. if the map is not "onto", on the average, how many seeds result in a given password?) (4) Are some passwords generated much more frequently than others, by this password generation program?
perry@MCL.UNISYS.COM (Dennis Perry) (11/18/88)
Henry, you point out several interesting points that are not too difficult to solve. The latter one about writing down passwords is relatively easy. The passwords are pronouncable and easily remembered. Now, you may argur that since you did not think it up, it is too hard, but in practice, this is not a problem. The first potential problem is the log on name. Los Alamos does not use 'names', but user numbers, which are assigned to employees and people authorized for accounts on the system. If you know something about Los Alamos or people who work there you know a little about the system, an outside hacker most likely would not. In fact, we have watched many hackers (all login attempts are logged) try all kinds of names, but none with the right 'type' of number. One of the things I did not say in my previous message (I was not trying to give a definitive statement about how Los Alamos does things, since I am no longer employed there) is that the first thing a user has to get right is is login name. This can be done many times, but since attempts are logged, it soon becomes apparent that someone is trying to get in. When I left we were thinking about makeing the loging of login attempts a real-time system which would alert the operations desk which could then take action to shut down the port under attack. So, a user would not normally be denied service except for the case where his name was known to the hacker, or he guessed a valid user number at random. In addition, if a hacker were to get in, he still must get passed the account checking, i.e. does he have an account with money in the bank, and then he must logon to the machine itself, for which he may or may not be authorized. Again, there are lots of things we can NOT do, but that doesn't help much. Reasonable passwords are a good investment in system management. Password aging is a good investment in system managment. To remove these responsibilites from humans and entrust them to machines would make it even better, since now we only have to worry about losing a 'smart' card, and that can be reported and logged in the system. In addition to a smart card, some of the type of things I was looking at at DARPA was to usa biological information to verify that the person useing the equipment was authorized. Retina scans from 3-4 feet now seem doable and would be non intrusive. So, the general ideas of useing something one know, something one has (object), and something one is (bio) would make a fairly tight system. (please spare me the objections of plucking out someone's eyes to defeat the system, dead eye don't focus and retina scans pick that up too!) dennis
ron@ron.rutgers.edu (Ron Natalie) (11/18/88)
Great, denial of serivce is almost as bad. We need some obnoxious person causing all the users to be blacklisted. I typed bad passwords to perry on mcl three times, I guess you either can't read this or you don't have that code turned on. -Ron
hal@GATEWAY.MITRE.ORG (Hal Feinstein) (11/18/88)
Before anyone falls too deeply in love with pronunceable passwords and rushes off to install it maybe you should take a look at some others who've used it. I put pronunceable passwords into a network authentication server about three years ago which had lots of office-type workers, not computer people. My goal: add some kind of psychological memory jog to help people remember them. Random strings no one remembers and most people write'em down. Fine! We'll do pronunceable passwords. I based it on the algorithm used by multics. They hated it and wrote 'em down. Now, years later I am a user of a multics system with pronunceable passwords, and I hate it! Yes, I've been tempted to write'em down. A better system is pass phrases which uses DES and a standard feedback chainning technique to develop a 64-bit result from a variable length phrase. A lot of password generation schemes beat the dictionary attack such as a few small words glued together with a number or other symbol. They are easier to remember than 8 characters of bizarre text.
pcg@aber-cs.UUCP (Piercarlo Grandi) (11/19/88)
In article <7178@charlie.OZ> jgm@charlie.oz.au (John Moorfoot) writes: In article <26010@bu-cs.BU.EDU> kwe@bu-it.bu.edu (Kent England) writes: >In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> > perry@MCL.UNISYS.COM (Dennis Perry) writes: >> > When I was at InterOp I stopped by the Sytek booth to look at >their telnet server. I was not impressed, except by a neat little >gizmo they had for their terminal server administrators. It looked >like a calculator. To use it you enter a PIN, like at your favorite >ATM machine. Then when you log onto a secure port to administer your >Sytek terminal server, the login program gives you a sequence of >numbers. You enter the numbers into the little gizmo and it gives you >a bunch of numbers back. You enter these into the login program and >you are in. Anyone catching this sequence over the net cannot >duplicate it, they don't have the little calculator gizmo and your >PIN. [ ........ ] A host program asks the PC for a challenge for a user, and the PC returns the challenge and two possible responses. The calculator can be programmed to accept two separate PINs, and will give a response to the challenge dependant on the PIN entered. This provides an adiitional degree of security, as the second PIN can be used (for instance) if the user is under duress. [ ......... ] Actually all these systems just transform a "what you know" security to a "what you have" security. There is no inherent improvement in the overall security level, and actually it may be lower (more components to compromise, etc...). As to systems that auotmatically generate passwords, usually the cardinality of the set of distinct passwords they can possibly generate is vastly smaller than the cardinality of possible passwords, and therefore they make it terribly easy to generate a list of all possible passwords. What's the point of having a key space of 127^8 (8 ASCII chars) if the password generators can only generate a few thousand or dozen thousand different passwords (e.g. most generators based on trigraphs). All these issues have been hashed to death in the past. This is a TCP/IP group. Let's make some specific TCP/IP comments on security -- a system that supports TCP/IP protocols must provide all security itself. Security MUST be end-to-end, and MUST be based on powerful encryption, such as RSA, and authentication MUST be based on something like zero-knowledge proofs, and the human link still remains the weakest. Protecting things like portions of the socket/host address spaces will only stop children. My general feeling is that security is NOT terribly important for a lot of people, and that as somebody pointed out, it involves a total approach, and is thus TERRIBLY expensive if done seriously. For example, one of the attacks to a system is to send a fake os upgrade tape labeled as though it were from the manufacturer... To foil these attacks you must involve the manufacturer in your security approach. -- Piercarlo "Peter" Grandi INET: pcg@cs.aber.ac.uk Sw.Eng. Group, Dept. of Computer Science UUCP: ...!mcvax!ukc!aber-cs!pcg UCW, Penglais, Aberystwyth, WALES SY23 3BX (UK)
david@ms.uky.edu (David Herron -- One of the vertebrae) (11/20/88)
This is interesting. You say that your users *hated* pronouncable
but non-word passwords. Hmm.. But that's the only sort of password
I ever have. (Example: Burple; don't worry, that password is a couple
of years old and isn't in use anywhere.).
Perhaps it's not just pronouncability that people want. At least
for me, most of my passwords are sniglet type things, that is there
usually is something which might mean something. After all, pronouncability
isn't all there is to something being rememberable.
Now, why is this discussion occuring in comp.protocols.tcp-ip/info-tcp-ip?
And the similar discussions going on in other groups. We *need*
to have comp.security, and gateway it into a mailing list for those
who cannot receive news.
--
<-- David Herron; an MMDF guy <david@ms.uky.edu>
<-- ska: David le casse\*' {rutgers,uunet}!ukma!david, david@UKMA.BITNET
<--
<-- Controlled anarchy -- the essence of the net.perry@MCL.UNISYS.COM (Dennis Perry) (11/20/88)
Ron, we don't need you going around to check to see if anybody has done anything to protect their machines. I don't remember you being appointed Internet Cop! Also, you did not get into mcl did you? I rest my case. dennis