Home > Articles

  • Print
  • + Share This

Threats to Passwords

In the classic The Cuckoo's Egg , Clifford Stohl describes a strong password as one which is highly resistant to a dictionary attack by tools such as Crack. The use of "hard-to-crack" passwords has been a prime focus of password security ever since. Without minimizing the importance of such safeguards, a well-configured Unix system of today uses a shadow file, Kerberos, or some other system that makes even encrypted passwords unavailable to anyone without administrative privileges. In order to read the /etc/shadow file, for instance, an attacker must compromise a system to an extent at which user password security is not the primary problem.

Passwords today are much more vulnerable to sniffing, shoulder-surfing, and voluntary disclosure than to cracking. There is little that users can do to avoid password sniffing other than to use software that establishes secure sessions, such as SSH. SSH should be available on all the systems you support and user education should include its use. Unlike much other security software, SSH requires no more effort by users than insecure software, such as telnet. In addition, SSH can provide extra features such as automatic X forwarding.

Shoulder-surfing is the practice of staring at the keyboard while someone types a password. It is so obvious that many people can't believe that anyone would do it. Users need to be aware of the "new etiquette" under which anyone may be asked to step away or look somewhere else during user authentication. There is also some value in using uppercase letters and control characters in passwords, because they require two or three fingers to type a character and are that much harder for a casual observer to follow.

Voluntary disclosure is the biggest problem. Some people are unaware that sharing your password means sharing it with anybody. The following dialog occurs frequently when investigating a compromised account:

Investigator:

"Have you shared your password with anyone?"

User:

"No, never."

Investigator:

"Think now. Is there anyone else at all who can access your account?"

User:

"No. I'm sure I haven't shared it."

Several minutes pass...

Investigator:

"Is there anyone other than you who would know that this is your password?"

User:

"Well, my boyfriend/ girlfriend/ mother/ father/ roommate/ dog/ cat/ parakeet knows it."

Investigator:

"Why did you say that you hadn't shared it?"

User:

"I didn't. Just with my boyfriend/ girlfriend/ mother/ father/ roommate/ dog/ cat/ parakeet."

Emphasize to your users that affection and trust can be expressed with flowers, rawhide bones, and other appropriate gifts. Passwords are for authentication.

Another type of voluntary disclosure is the sticky note. Often a user will write the password on a sticky note stuck to a monitor until it has been memorized (and then forget to take down the note). It is next to impossible to prevent users from writing down passwords, but they can be told that the policy against disclosing passwords will be applied only if the note is visible. As long as it is kept in a wallet or coin purse or some other reasonably safe and protected place, you may want to avoid making a fuss.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.