By Rob Lemos
Staff Writer, CNET News.com
May 22, 2002, 4:00 a.m. PT

When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look.

Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file.

"Just about every company that we have gone into, even large multinationals, has a high percentage of accounts with easily (cracked) passwords," said Greg Shipley, director of consulting for Neohapsis. "We have yet to see a company whose employees don't pick bad passwords."

Fortune 100 corporations, small firms and even Internet service providers with strong security have an Achilles heel: users who pick easily guessable passwords. Some choose words straight out of Webster's dictionary, others use a pet's name, and still more choose the name of a secret lover. Many who think themselves tricky append a digit or two on the end of their chosen word. Such feeble attempts at deception are no match for today's computers, which are capable of trying millions of word variations per second and often can guess a good number of passwords in less than a minute.

Treasure trove of magic words
For network intruders, that's a gold mine. Bad passwords don't necessarily make it easier to break in to a company's network, but for hackers able to gain access to a corporate computer by other means, they're a treasure trove. Passwords discovered on one server will frequently open the way to other servers, and with the digital keys to a large fraction of the accounts on the network, an intruder can wander about with impunity and with the appearance of being a legitimate user.

That's why network attackers grab passwords as soon as they can. Some viruses and worms send an infected computer's password file back to the creator. This week, a worm known as DoubleTap is doing just that, squirming its way in to computers with Microsoft's SQL Server 7.0 installed. The 1i0n worm, which spread among Linux servers in early 2001, grabbed password files, and the SirCam virus, in some cases, could send off the systems passwords as well.

		Special report Cracking the nest egg Hackers find fortunes in online bank accounts

Even the most paranoid security group and high-tech digital fences can't do much if the CEO secures his critical files with "god123." Worse, most companies and organizations still rely on a password--and nothing else--to authenticate their employees.

In security circles, experts have been studying the problem for decades.

In the pre-Internet Age of 1979, when storage was measured in the number of bits that could fit on a foot of magnetic tape, a seminal paper on password security found that a third of users' passwords could be broken in less than five minutes.

A search to find an eight-character password of random letters and digits would take 66 years on average for the big gun of the day, the PDP-11/70, which could crunch through nearly 50,000 combinations a minute in a brute-force search.

Yet the study found that users almost invariably chose bad passwords, leading to shortcuts for anyone attacking the security of the system.

Of nearly 3,300 passwords examined, the paper's authors, Ken Thompson and Robert Morris Sr., found about 17 percent consisted of three characters or less, nearly 15 percent had four characters that were a letter or a digit, and another 15 percent appeared in one of the dictionaries available at the time. In total, nearly half the passwords could be found in a search lasting less than six hours.

Make no mistake: An eight-character password could be very secure, even if attacked by today's high-speed computers.

There are more than 6.6 quadrillion different eight-character passwords using the 95 printable ASCII characters. Though some password-cracking programs can test nearly 8 million combinations every second on the latest Pentium 4 processor, breaking an eight-character password would still take more than 13 years on average.

In fact, operating systems have evolved in the past two decades to increase the security surrounding passwords. At one time, anyone could read the password file--the collection of encrypted keys for the system's software locks--making it easy for a hacker to copy the file for later cracking on their own computer system.

Now, operating systems typically allow only system administrators access to read the encrypted passwords, forcing hackers to get administrator rights on the system before they can grab the file. In addition, "three strikes" login rules have become common, locking out users who fail to provide the correct passwords in the first few attempts.

Digital domino effect
While such defenses have made hacking attempts based on repetitive password guesses using a list of common words--known as a dictionary attack--less feasible, such attacks are invaluable to hackers as a way of broadening access to a network. A single server or PC breached by an intruder can yield passwords reused on other systems in the network, bypassing the security on the systems in a digital domino effect.

The only defense is to make passwords nearly impossible to guess, but such strength requires that the password be selected in a totally random fashion. That's a tall order for humans, said David Evans, an assistant professor of computer science at the University of Virginia.

"When humans make passwords, (they) are not very good at making up randomness," he said.

Furthermore, because people usually have several passwords to keep track of, locking user accounts with random, but difficult-to-remember, strings of characters such as "wX%95qd!" is a recipe for a support headache.

"The idea is to make something that is easy to remember but that will make up a good password," he said.

Are single-use passwords more secure? Kevin Donovan, product manager, Vasco Worldwide February 20, 2002

Many security administrators focus their efforts on teaching users how to use various mnemonics to create strong, but memorable, passwords. A common technique takes the first or last letter of each word in a saying or phrase familiar to the user. For example, by using random capitalization and substituting some punctuation marks and digits for letters, "Friends don't let friends give tech advice" might become "fD!Fg7a."

The education doesn't seem to be sticking, and the password problem is getting worse as the percentage of less-tech-savvy computer users increases.

Giving away the keys
In a recent study by security firm PentaSafe Security Technologies, the company found that four out of five workers would disclose their passwords to someone in the company, if asked.

That's the good news. Another study by the same company found that nearly two-thirds of the workers polled at Victoria Station in London gave the pollster their passwords when asked. Their reward? A cheap pen.

Little wonder then that companies are becoming increasingly worried that the keys to their information kingdom are being handled so poorly.

"Passwords are one of the biggest security problems that corporate America has," said Chris Pick, associate vice president for product strategy at PentaSafe. "Employees should at least know their company's password policy, but they don't."

In fact, potential intruders value a password far more than the single computer it's protecting. A hacker who can get the password list from a server or PC can use those passwords to gain access to other computers on the network, bypassing all the high-tech security erected to keep him out. Moreover, once an intruder has collected the digital keys to a network, it's very hard for administrators to lock him back out.

"There are some ISPs who have had 40,000 passwords stolen," said Neohapsis' Shipley. "They are not going to tell all their users to change their passwords." Doing so would only alert a hacker that he has been detected, Shipley said, and the ISP has no way of knowing if a legitimate user or the illicit trespasser has changed an account's password.

		Special report Why hackers escape How criminals stay a step ahead of the law

"It's a support nightmare," Shipley said. "That's one hacker you aren't getting out of the system."

The best solution is to not let them in. To block hackers, security companies and researchers are increasingly focusing on strengthening the weak link posed by passwords.

Many corporations have boosted user education, concentrating on drilling their employees in the company's password policy. Such policies determine what a valid password is, the minimum number of characters in the string, and how often the keys to the account have to be changed.

That still doesn't make the passwords any more memorable, researchers say.

Picture this
"The human limitation with precise recall is in direct conflict with the requirements of strong passwords," wrote University of California at Berkeley students Rachna Dhamija and Adrian Perrig in a recent paper discussing the possibility of a graphical password system called Deja Vu.

Dhamija and Perrig, as well as several other researchers, are looking to capitalize on users' visual recall, rather than their ability to memorize characters. Deja Vu creates collections of digital art from which a user chooses several selections; then the system trains the user to remember the selections.

Researchers at Microsoft, Lucent Technologies, New York University and the University of Virginia, among others, have studied techniques for creating graphical passwords.

Such systems have problems as well. While the resulting password tends to be more random than one made of characters, the user training has to be done in secret or others might be able to view the sequence of images that make up the password. Moreover, the same attributes that make graphical passwords easier to remember for the user make them easier to pick up by, say, a not-so-friendly co-worker looking over someone's shoulder, said Chris Wysopal, director of research and development for digital security firm @Stake.

"Pictures are going to be easier to shoulder-surf than keyboard passwords," Wysopal said, adding that weaknesses in how such passwords are stored on the computer system could also make them vulnerable to cracking attempts.

While research has focused on creating new types of passwords, businesses are attempting to tackle the problem with software products that allow a single, strong password to be used to access all the services on a network. By letting users focus on just memorizing a single password, the onus for security is on the administrators who must force users to pick a strong password and change it frequently.

This system has its own drawback, of course. A hacker able to wheedle a single password from a user gains access to everything that person had permission to use. That has many nervous companies adopting so-called two-factor authentication, where the second factor is a chip card or biometric. For the extremely security conscious, three-factor authentication is available as well.

"If you want real high-level security," said University of Virginia's Evans, "people can authenticate themselves with something they know, like a password; something they have, like a smart card; and something they are, like a biometric."

With fingerprint scanners and smart-card readers still not a common option on computers, such technology isn't an immediate solution, said Chris Christiansen, an analyst with market researcher IDC.

"There is a huge, huge range of alternatives to passwords," he said. "But nobody thinks passwords are going to go away."

Until better alternatives are adopted, the users--and the passwords they choose--continue to be the greatest vulnerability.