Security of Password Protected Systems

Introduction

Authentication means checking who is using your system. Password and PIN based systems have become very popular for this purpose, as these are easy to design and use compared to the alternatives. Very many systems have been designed to use passwords for authentication. Even if better approaches exist for some purposes, passwords will be used for some time to come. Someone responsible for systems security is likely to want to achieve the best performance from password authentication systems.

Advantages to System Operator

Disadvantages

System Design Precautions

Various precautions can be introduced into the design of a password-based authentication system to improve performance. The design/implementation cost for these precautions is small, but the usability trade offs are greater.

Default passwords

If you are designing a system to manufacture or distribute (e.g. via CD-ROM or software download) to customers/users you might have to set the initial system administration passwords. Obviously it will be cheaper if all initial passwords are the same ... A better approach will require the installer to choose a password when using the installation program, or perhaps for a broadband router to have its password set to the serial number of the router - so long as the IP address of the installation is unknown to the distributor and the serial number is not made visible to the external network interface. Unfortunately there is a conflict of interest, in that the manufacturer and distributor want the lowest possible support costs.

Who loses if a password is broken ?

A student who leaves his password written down on a piece of paper in an empty room might lose the data on his or her own account, or more likely the confidentiality of it. This provides an incentive to the user to keep the password secret. Users whose personal interests are unlikely to be affected are more likely to compromise good practice in pursuit of convenience. Having Bob Cracker impersonate Alice Scholar affects other system user's interests through use of Alice's account to attack connected systems. If discovered the attack will be blamed on Alice. On an online system where all you need to get an account is an email address on another system, there is little incentive to protect the credentials.

If a privilege escalation attack can be launched on any network resources protected by this system, Bob only needs to break the security on one account out of thousands, so in this situation everyone who uses this network could lose if any one account is vulnerable.

Some other attacks

The bogus system

How do you know when you input a password to a system, that the system isn't bogus ? Microsoft Windows XP requires use of the control, alt and del keys prior to inputting a password, and makes it difficult to create an application which will trap this key combination. This doesn't prevent someone from booting another operating system from CD and presenting a password input sequence which looks just like Windows XP's. This attack pattern gets repeated in new contexts - e.g. thieves installing bogus ATMs to skim credit cards and PINs.

Variable response delays

This is similar to the old bicycle combination lock attack that relies on differences in feel of each of 4 rotors as its open point is passed. If the delay in getting a "wrong password" message depends upon which character position tests wrong, this gives an attacker opportunities to get each of 8 characters in a password right before trying the others, greatly reducing the number of failed attempts needed.

Passing passwords over the wire in the clear

If a users credentials on a client are passed to a server over the network connection, security of this system depends upon preventing someone from sniffing the wire. Early versions of Sun's Network File System and Microsoft's similar SMB protocol are vulnerable. These old configurations persist much longer than the replacement technology is available for various reasons.

Keylogging

If the keys all sound exactly the same or draw exactly the same current from the power supply, or if an attacker only has network access to a system with a keyboard, it could still be possible for an attacker to install a program that logs the keystrokes.

Brute force

A system that will defeat a casual user who inputs passwords manually might be easily defeated by a script that simulates a user. Programs such as wget are designed to be able to automate any HTTP request. A 4 digit PIN protected system only requires a loop to run 10,000 times - though 4 digit PINs tend not to start with a '0', reducing the keyspace to 9,000. The best possible 8 digit Unix passwords using any of 96 easily input characters allow for 252 combinations. If the hash file is available, this number is subject to attack using a network of new computers and a few days to run through all the possible passwords. In practice few actual passwords are chosen from such a large set. A password which is in a spelling dictionary might be broken in less than 216 attempts.