Passwords

Passwords are a primary piece of information that intruders will try to acquire in order to gain unauthorized access to systems or networks.

Password Storage

When users enter passwords for the network or operating system, they or some facsimile of them must be stored so there is something to compare user login attempts to. There are three primary choices for password storage:

• Clear text
• Encrypted password
• Hash value of a password - Used by Unix and Windows NT

The storage locations may be:

• Root or administrator readable only
• Readable by anyone.

Passwords are more secure when they can only be read by the administrator or root account. Also the best password storage security is to store the hashed value of a password.

Typical Hashing Functions

• UNIX - Algorithm similar to DES with 56 bit key. There are two random characters (salt) are added to the algorithm so two password values are not stored the same even if they are the same.
• Windows NT - MD4 is used to generate a 128 bit value.

Password Protection and Cracking

Passwords should be chosen wisely and a dictionary word should never be used. This is because if an attacker can get the hashed or encrypted value of a password, they can run password guessing programs to eventually guess the password by comparing the encryped result of the guess to the actual encrypted password. The easiest password attack is a dictionary attack where dictionary words are used to guess the password. Other attacks include a brute force attack which can take much longer than a dictionary attack. This is why passwords should have a minimum length and a minimum degree of complexity. The complexity requirements should include three of four of the following four types of characters:

• Lowercase
• Uppercase
• Numbers
• Special characters such as !@#$%^&*(){}[]

Protocols to send passwords

• PAP - Password Authentication Protocol - Used with Point to Point Protocol (PPP). The password is sent in the clear.
• CHAP - Challenge handshake authentication protocol is preferred rather than PAP since the actual password is not sent across the internet or network.