cracraft@venera.isi.edu (Stuart Cracraft) (11/06/88)
Some brief tests have shown that the recent virus attack could breach approximately 4.6% of passwords on a typical large-sized Unix mainframe, revealing 10-20 passwords. All of this once again exposes the weakest link of any password-based security system: the passwords. As a system maintainer, the two best things you can do to increase your ability to sleep at night are: * enable password aging * enable complex passwords The first of these tells Unix to occasionally require that the user input a new password and confirm it, giving the old password to assure he is authorized. If you enable aging, for example, once every month or two, every user who logs into your system will be required to specify a new password. The second of these is the more useful, but both are needed in conjunction to close a lot of holes in Unix. This particular one requires that the user specify a password with complex characters in it, either non-alphabetic, or numeric mixed with alphabetic and of at least a certain length (10 characters seems like a good size). Prior to this, the system maintainer can conduct an audit of the system, looking for null password fields in /etc/passwd or using Jim GIllogly's script (see earlier messages on this list) to discover English language words already compromised by the current attack (its candidate word list -- which will most surely be in the hands of every small-fry youngster who sees the current media-glory as a chance to gain new heights in his teenage years by becoming a cracker). Hence, this list must always be checked against. Doing these three things (audit, aging, and complex) will greatly increase the security of a system. Not all Unix's have the latter two, but this is possible to implement. Stuart
guy@auspex.UUCP (Guy Harris) (11/08/88)
>As a system maintainer, the two best things you can do to increase >your ability to sleep at night are: > > * enable password aging In an article in the October 1984 AT&T Bell Laboratories Technical Journal - "UNIX Operating System Security", F. T. Grampp and R. H. Morris - some doubt is expressed as to whether password aging really should help system administrators sleep better at night: (Description of how password aging works) Four things are wrong here. First, picking good passwords, while not very difficult, does require a little thought, and the surprise that comes just at login time is likely to preclude this. There is no hard evidence to support this conjecture, but it is a fact that the most incredibly silly passwords tend to be found on systems equipped with password aging. Second, the user who discovers that the new password is unsound or compromised cannot change it within the week without help from the system administrator. (This is a characteristic of implementations such as the System V one, which, once you've been forced to change your password, don't let you change it back for a week; of course, if you *can* change it back immediately, aging is pretty much advisory - gh) Third, the feature only forces people to toggle back and forth between two passwords. This is not a great gain in security, especially if it encourages the use of less-than-ideal passwords. (At an AT&T site, one person told me that it was common to add "0" to the end of their password, and toggle it between "0" and "1" whenever you were forced to change your password - gh) Fourth, as implemented, the date and the lifetime of a password is encoded, not encrypted, just after the encrypted password in the password file. It is easy to write a program that scans a password file and prints out a list of abandoned accounts, together with the length of time each account has been unused. Whether this is a horror or a blessing depends on your point of view. >The second of these is the more useful, but both are needed in >conjunction to close a lot of holes in Unix. This particular one requires >that the user specify a password with complex characters in it, >either non-alphabetic, or numeric mixed with alphabetic and of >at least a certain length (10 characters seems like a good size). Except that UNIX systems tend to pay attention only to the first 8 characters of the password.
henry@utzoo.uucp (Henry Spencer) (11/09/88)
In article <6704@venera.isi.edu> cracraft@venera.isi.edu (Stuart Cracraft) writes: >As a system maintainer, the two best things you can do to increase >your ability to sleep at night are: > > * enable password aging > > * enable complex passwords Both are mistakes. See "UNIX Operating System Security", by F.T. Grampp and R.H. Morris (the elder!) in the Bell Labs Technical Journal, Oct 1984. >... If you enable aging, for example, once every >month or two, every user who logs into your system will be required >to specify a new password. On the spur of the moment, which means that he often will make up a poor password, or simply alternate between two passwords. "The goal is laudable. The algorithm, however, is bad, and the implementation, from a security standpoint, is just awful..." (Grampp&Morris) We thought about this for some time, and concluded that it is better to gently remind users that their password is getting a trifle old, rather than forcing them to change it. >...This particular one requires >that the user specify a password with complex characters in it, >either non-alphabetic, or numeric mixed with alphabetic and of >at least a certain length (10 characters seems like a good size). Things like this may be useful in moderation; for example, preventing overly-short passwords is certainly a good thing. However, it's very hard to construct a simple algorithm that reliably ensures good passwords. You may be discouraging users from choosing inventive passwords by putting arbitrary barriers in their paths. Grampp&Morris describe a successful attack on systems using the above algorithm: passwords consisting of the 20 most common female first names, followed by a single digit, let them onto every single one of the several dozen machines they surveyed. (Incidentally, Unix truncates passwords to 8 characters, so requiring 10 is pointless.) -- The Earth is our mother. | Henry Spencer at U of Toronto Zoology Our nine months are up. |uunet!attcan!utzoo!henry henry@zoo.toronto.edu