No matter what security precautions are added to computer systems, poorly chosen passwords can allow unauthorized access. As noted in the case studies sidebar (page 30), we've found that in most computer networks, 35 to 80 percent of passwords can be easily guessed.

Poorly chosen passwords aren't, however, the only vulnerability that threatens host security. Due to the overabundance of idle CPU time, the now-common computer network, and heightened awareness of encryption techniques, highly-efficient, encryption-breaking computers are now a reality. Once administrators understand the importance of password security and common approaches to breaking it, they can work to better protect their systems by implementing effective security policies.

Breaking passwords

Although many administrators believe that attacks against the front-end security of a host are likely to fail, our experience shows that most sites are vulnerable to some sort of password guessing. Password guessing isn't just a matter of finding words -- it uses deductive methods to determine the most likely passwords for specific circumstances.

Some simple, initial deductions are easily explained. In many instances, an account locks a user out after three failed password attempts within an hour. Hackers must, therefore, choose their first two guesses carefully. A good first choice is the user's user ID -- still the most common insecure password in use. If the employee travels, another common password choice is a city name. For example, if an employee is in Denver, he chooses DENVER as the password, if in San Francisco, SANFRAN, and so on.

Another way to find weak passwords is to use the computer's default configuration. Frequently, there are accounts left over from installation that can allow hackers access to the system. Hundreds of default accounts can be collected from standard sources to locate poorly configured hosts. Based on external audits of remote passwords run against a database of these default accounts, most networks have shown to have problems in these areas. Examples of these default passwords are illustrated in table 1.

Account	Password	System
oracle	oracle or master	UNIX or NT
autocad	autocad	UNIX or NT
guest	guest	UNIX or NT
demos	demos	UNIX or NT
p	<none>	UNIX
games	<none>	UNIX

Table 1: Default passwords -- Accounts left over from installation can provide system access to intruders.

Remote attacks

The next step to gain network access via passwords is to attack services remotely. Some methods are more effective than others. This section describes three of the most popular services that are remotely attacked.

Post Office Protocol (POP)
One of the least secure network services (many versions of Post Office Protocol don't log authentication failures), POP requires that you make custom versions of the program to increase security. This means that a remote user can try thousands of passwords against a typical POP server and never be logged, or for that matter, disconnected. Users must have a passwordžnot having a password causes the login attempt to be refused by POP. Since POP doesn't log attempts, entire dictionaries can be tried against users of a system with no more notice than perhaps an increase in computer resource use. Our experience indicates speeds as high as 600 password guesses per minute can be reached using POP remotely.

Internet Mail Protocol (IMAP)
Like POP, IMAP also doesn't log authentication attempts by default. Later versions of IMAP do disconnect, but logging is still turned off, so a persistent program can reconnect and continue trying. Once again, entire dictionaries can be tried without notice. We've achieved speeds of up to 200 attempts per minute using IMAP.

File Transfer Protocol (FTP)
FTP logs and disconnects users after a few failed guesses, but still provides a means for a dedicated password cracker to try a few passwords before being forced to reconnect to continue guessing. On average, a remote attack against FTP may be able to try about 80 passwords per minute, which is considered slow. Consequently, FTP is a more secure service than POP or IMAP because it has logging facilities, and slows down the attack process by implementing delays between login attempts and disconnecting users.

Attempts against encrypted strings

Passwords are often encrypted. This offers two kinds of protection: the strength of the encryption method and the time it takes to try to guess a password. If there's no easy approach to decrypting an encrypted string, it becomes easier and more effective to guess passwords using dictionaries. This is where the time factor plays a critical role.

It's a false assumption that with encryption, faster is better. If an encryption technique is extremely fast, passwords can also be guessed extremely fast. When very high speeds are reached, attempting ALL of the possible passwords becomes feasible in a reasonable time, making no password exempt from cracking.

The most accepted standard used for passwords is the Data Encryption Standard (DES). It originally took a full second of CPU time to validate a password. This time frame means that using a complete dictionary to guess a password would take a significant amount of time. However, technology is overtaking DES rapidly, with common computers capable of 20,000 DES encryptions per second. Even with these innovations, it's still fairly simple to pick a DES password that can remain unguessed under a brute-force attack for a long period of time.

Salting passwords

On computers with hundreds or thousands of users, there's the possibility of two or more users picking the same password. To prevent people from noticing this similarity, passwords may be "salted" to enforce uniqueness. A salt is a scramble applied in addition to the cryptographical technique used to generate the encrypted password. Consider, for example, a typical DES password:

fTkD5.JeqOlP

The first two letters, fT, would be the "password" that describes the salt's influence on the password. This prevents people from accidentally making the connection that two passwords are identical.

Besides masking identical passwords, a salt also forces hackers to calculate passwords individually, meaning that each password attempt can't be applied to all the people on the machine at the same time. This slows down the password guessing process.

An example of failure

The LAN Man problem in Windows NT was originally discovered and made public by the individuals at L0pht Heavy Industries (http://www.lopht.com/). The LAN Man passwords used by Windows NT 4.0 and earlier have no salts, and use a very rapid encryption process. As a result, a program called L0phtcrack was developed that could break Windows NT passwords through both dictionary attack and brute force.

Our experience indicates that L0phtcrack can guess any LAN Man password using numbers and letters in a week's time, regardless of the length of the password. If this seems like a long period of time, note, we've successfully attacked systems for days -- without trying to hide -- without anyone noticing.

Twelve steps of cracking passwords

Although we've given examples of strong and weak password methods, we still haven't defined what a strong or weak password is. For example, is "Gomen!" (the Japanese word for "excuse me" or "I'm sorry") a strong password? It isn't in an English dictionary; it has punctuation, and the first letter is capitalized -- all of which can be attributes of a strong password. Just how good of a password is it? Is there a secure way to pick a password that would make it difficult to break even if the encryption were weak?

A good password can withstand a certain amount of password cracking attempts. The amount of patience an intruder has is finite, however, which means that even a dedicated hacker wouldn't want to run cracking software for years to guess a single password. This gives you a scale to use in assessing the various methods of password cracking. The scale sets out password-cracking methods in order, by the number of guesses made per technique, which indicates how much effort is required by each method to examine the passwords. In the process of reviewing these phases, we also determine at what point the password Gomen! breaks down.

Step 1: Is there a password?
In step 1, no password guesses are made, since the first thing any password cracker does is check to see if the user has a password. A large number of hosts are broken into simply because accounts don't have passwords.

Step 2: Is the user ID the same as the password?
In this step, one guess is made, since the second thing a password cracker does is check to see if the user ID and user password match. On many accounts, they're the same because it makes it easy to remember, and because many administrators change account passwords to the user ID whenever users forget their passwords.

Step 3: Is the password derived from the user’s name?
This is a slightly more complex version of step 2, and between 1 and 1,000 guesses are made (usually around 50). For example, where an account used is, jqpublic, the password could be Public, John, JohnQPub, etc. In cases where servers have a large number of users and no password policy, typically 5 to 10 percent of the accounts on the system are guessed at this step.

Step 4: Uses the collegiate dictionary wordlist and namelist.
Approximately 30,000 guesses are made in step 4. Many passwords are guessed by using a simple wordlist from a common hand-held dictionary. The most common of these, password, secret, private, and so on, can be guessed using this method. Typically, a dictionary of this size is provided with most UNIX computers in the /usr/dict directory. Added to this dictionary is a list of common names. The names of relatives and loved ones are also popular passwords.
Remote attacks can handle up to step 4 and still be viable, since the fastest remote attack handles 800 attempts per minute (one-half hour per user), and the slowest is at 80 (over six hours per user). An attacker could conceivably make this many attempts before a person working normal work hours would notice.

This is the last step where we consider an account insecure from an outside attack by casual examination. Any additional time spent on breaking a password remotely would amount to a focused attack on a single individual, which slows an intruder down considerably and decreases the chance of a speedy success. Passwords cracked in this phase are genuinely insecure -- they're easily guessed both locally and remotely, which leaves the hacker with a reasonable chance of a successful attack without being caught.

Step 5: Uses the complete English wordlist.
In this step, approximately 150,000 guesses are made, and any other language can be substituted. The theory behind this wordlist is that it contains, in addition to the words in step 4, unusual or famous peoples' names, labels from pop culture, names from classic arts, words taken from science, and all the language's dictionaries in unabridged form. Step 5 remote attacks would only be likely on computers that an administrator doesn't examine for weeks at a time or where the hacker is targeting a specific account.

Step 6: Uses the complete international wordlist and patterns list.
In this step, approximately 2,500,000 guesses are made, and everything in wordlist form is fair game. Patterns, such as 111111, 123456, abcdef, qwerty, zxcvbn, etc., are also added to the list. As an example, the CrackIT database covers about 20 languages other than English, including Scottish, French, Russian, German, Japanese, Chinese, Finnish, Swedish, and Spanish.

Step 7: Uses the collegiate dictionary wordlist with filtering.
Approximately 3,000,000 guesses are made in step 7. Filtering is a technique used when a host has a password enforcement system that forces users to choose passwords using lowercase and capital letters, numbers, and symbols. Since most people still want passwords that are easy to remember, they may still create insecure passwords by changing an insecure password, for example, "secret" to a less insecure password "secret!".

Here are some examples of filtering using the word secret:

secret becomes secret! Add exclamation mark
secret becomes s3cr3t 3 could be a backwards E
secret becomes Secret Add capitalization
secret becomes SECRET Entirely capitalized
secret becomes terces Reversed

Good filtering rules should overlap each other, so that SECRET! or S3cr3t are also tried.

Step 8: Uses complete English with filtering.
In this phase, approximately 15,000,000 guesses are made, as the escalation of the number of guesses per phase becomes rather extreme. The technology doesn't exist to finish a remote attack using this method. This is because the speed of the network connection, as well as packet protocol overhead, makes it impossible to use this method remotely without detection.

Step 9: Uses complete international wordlist with filtering.
This is the last phase, approximately 250,000,000 guesses, where it's still reasonable to try to crack UNIX DES. On a typical PC workstation, it would take 18 hours for a single account to be examined using this technique. This is also the point where Gomen! would fail, requiring an international dictionary and filtering to recognize it.

Step 10: Uses brute force (letters a to z only).
In step 10, there are approximately 205 billion guesses for DES and 8 billion for Windows NT LAN Man. At the time of this writing, brute forcing DES at any level takes some time. In our experience, we've achieved speeds of a billion crack attempts per day using moderate lab equipment (see "Case Study: Two UNIX Password Penetration Tests"). At a billion attempts per day, however, it still takes over half a year to cover all the possibilities just for lowercase alphabet characters.

Windows NT has fewer guesses because it has a maximum of seven characters in its passwords, while DES contains eight. (Note: It's possible in Windows NT to choose passwords longer than seven letters, but due to its LAN Man implementation, only seven letters need to be guessed.) Brute force is highly dependent on the length of the password, acceptable characters in the password, and the speed of the encryption technique.

Step 11: Uses brute force with extended character sets.
The number of guesses for step 11 is dependent upon the cryptographic method and character sets chosen. Extended character sets add strength to passwords -- it takes a significant amount of time to break passwords using symbols, such as tildes, curly brackets, pipes, and strikes. People using these in passwords have reasonable protection from having their passwords guessed by even the speediest password crackers.

Is the length of time it would take to crack these passwords unreasonable? Not in all cases. L0phtCrack 2.0 is capable of running a brute force, password crack for the character set {a-z, 0-9}, in about a week's time. Any additional characters, however, would increase the time required from a week to months, and then into years.

Step 12: Uses brute force to extinguish all possibilities.
The number of guesses required is dependent upon the cryptographic method employed, but once this step is completed, the password is always guessed. Due to the speeds of computer systems available and the technology curve of advancement, this is probably unfeasible as a reasonable attack for at least 15 more years. DES is estimated to require 281,000,000,000,000 different password guesses, before all the passwords are exhausted. This is, basically, the evidence needed to support the idea that it's easier for a hacker to guess many weaker passwords than to break a single, strong one.

Custom steps

Other password forms fall outside these 12 steps, especially those generated by computers to prevent people from picking extremely weak passwords. Examples of these include passwords that are combinations of two words and a symbol (tennis%court, teacup&beach, horse#boat) and computer-generated syllabic passwords (colfiedie, yaremasic). These are inherently vulnerable (they prevent picking much better passwords, and are predictably made), but don't fit any of the non-brute force methods. Therefore, these special situations need to be addressed on a case-by-case basis.

How much security do I need?

From our collected case studies on UNIX computers, it's apparent that steps 1 to 4 represent the greatest danger, and are where the largest numbers of passwords are cracked. Typically, 35 percent of the passwords found fall under step 3. About three percent fall under step 1, and five percent under step 2 (although percentages for this step are as high as 40 percent on Windows NT). Up to 35 percent more are cracked under step 4 (using a dictionary and namelist), and there tends to be a five to seven percent guess factor for each additional phase. Of course, these percentages are based on human deductive efforts and password education, and therefore, are only estimations.

DMW recommends different levels of password security, based on a system or host's configuration. In the list that follows, security is recommended for various business environments, with the step through which the system should be made secure noted. These are general recommendations, and don't reflect unique circumstances that might require tighter security measures.

For UNIX using DES, you should protect yourself through these levels of attack:

Single-user UNIX workstation: Step 4
Small business without external network connectivity Step 4
Medium to large business without external network connectivity Step 5
Medium to large business connected to Internet Step 6
Computers with network administration function/targets Step 8
Systems with sensitive information Step 9

For Windows NT:

Non-Internet connected business workstations Step 6
Medium to large business connected to the Internet Step 10
Computers with network administration function/targets Step 11
Systems with sensitive information Step 11

Password security software: How much protection?

With Service Pack 3 for Windows NT, PASSFILT.DLL can force users to select more complicated passwords. These passwords must then use characters from three of four character sets: lowercase letters, uppercase letters, numbers, or punctuation and symbols. This doesn't prevent passwords from being easily guessed with the password cracker via brute force, but it makes it difficult for users to pick passwords containing their account name, initials, or other short and simplistic selections that create weak passwords. L0phtCrack or CrackIT can also be used periodically to determine if users are adhering to proper password security.

There are several programs that enhance security by first trying to see if the password appears to be insecure. One of the most popular software packages is the Shadow Password suite of tools available free from ftp://nic.funet.fi/pub/unix/security/passwd/shadow/shadow-3.3.tar.gz. This suite of tools installs a replacement password program on the UNIX host that requires each password to have letters and characters in it.

Both Service Pack 3 and Shadow Password suite are easy to install and straightforward to implement.

Hacker prevention
SYSKEY.DLL, another Windows NT Service Pack 3 improvement, prevents the Windows NT Registry from releasing the encrypted password entries to Administrator, rendering the password file inaccessible. Although it's questionable whether an intruder could acquire the password file in some other way, running this program certainly reduces risks (for additional details on Windows NT Service Packs, see Dan's TIPS column on page 42).

Insecure security
Poorly chosen passwords are the weak link in your chain of security. Understanding the importance of password security, how to select secure passwords, and how intruders take advantage of insecure passwords is critical to improving a company's overall security posture. Knowing which phase of password cracking you need to secure your systems to, as well as the resources available to system administrators for improving password security, are key to attaining the security you need and eliminating many system weaknesses.

Case Study: Two UNIX Password Penetration Tests

During a recent penetration test, 800 standard UNIX DES passwords were audited. Two computers split this task: an UltraSparc 1 and a Pentium 166. Using the DMW CrackIT software package, the audit performed over one-and-a-half billion password cracking attempts in slightly more than three days. The audit resulted in identifying passwords for 35 percent of the accounts, with the first password being obtained in less than three minutes from starting the audit.

In a separate audit performed on a Pentium 90 notebook over the course of a weekend, 264 UNIX accounts were examined, yielding 212 guessed passwords for a total of 80 percent.