On passwords, securtiy and real -sweat, blook and tears- life

Kwan Lowe kwan at digitalhermit.com
Sat Apr 29 12:20:08 UTC 2006


> A common problem with passwords are their guessabilty (yes, as a
> non-native English speaker, I too make up words.....). For instance,
> even though I have taught my daughter to not use dictionary words, names
> etc, her password for one of the online accounts got hijacked. What
> happened was, she used: _____ (five underscores) as a password: arghghgh.

I'm not convinced that it's the guessability of passwords that's their downfall.
>From what I've seen, the biggest problem is clear-text passwords moving naked across
the Internet. For example, many of us are subscribed to various lists. Many of them
send a password reminder once a month in plaintext. Many people use the same
passwords across multiple sites. This means that anyone who has access to the mail
(the ISP, an administrator, etc.) has access to possible multiple passwords. Then
there are un-encrypted web logins. You can easily see in firewall rules, proxys and
just by sniffing either side of the connection what the passwords are.

Which leads to how supposedly "encrypted" passwords are stored and sent...
When a password is sent, it's rarely sent as plaintext anymore. This doesn't mean
it's. In some cases the password is "hashed" locally and the hash, rather than the
password is sent. On the other side, the hash is compared with a stored hash and
verified if they are the same. On the most rudimentary systems you could replay the
hash send and gain access. On other systems, the remote site will send some sort of
salt value that changes on each connection. So you'd think that if you get the hash
there's no way to get the password?  Alas no..  It's possible to create a dictionary
of pre-hashes. I.e.,, take all permutations of allowed password characters and then
create a table listing the hash and the plaintext. When you receive a hash, just do
a lookup and you'll often locate the plaintext. This is made easier because people
tend to use very few of the allowed characters in a password. I.e., just letters,
numbers, and the occasional punctuation mark.

So your daughter's password could have been compromised by the fact that it was a
simple password and very easy to "shoulder surf", it's in a pre-hashed dictionary,
it was transmitted in the clear, it was replayed... etc etc..

> But it did make me think again about the security of my home network.
> Unfortunately most passwords are dictionary words, that are easy to
> guess using f.i. the john password guesser program, combined with
> numbers and if you are lucky a special charactor or two.
>
> What I wonder about is the following:
>
> * given that all ports are closed to external contact through a physical
> allbeit consumer oriented firewall, just means I am safe for
> port-scanners. But does it mean that I am safe from cracker systems /
> programs? Is there a way to break in, without allowing external contact
> through one of the ports? (not including trojans and the like).

Not at all... Once someone gets a privileged account to run an application, it
doesn't matter what perimeter defenses are in place.  Or if your Windows system is
not patched, I could conceivably send you a picture that, when viewed, launched
another application. A website could auto-install a keylogger on your browser. These
are not really troajans... In some cases I've seen very secure firewalls protecting
very insecure wireless networks. The front door is locked but the walls are
missing...

> * A second issue is: suppose I would force my family to use really
> random passwords (like characters picked from a one-time pad). And now
> suppose I lose my root-password: would I be able to rectify this,
> without destroying the data?

The root password is easily changed on bootup either by booting into single user
mode, editing with a rescue disk, etc..

>
-- 
* The Digital Hermit   http://www.digitalhermit.com
* Unix and Linux Solutions   kwan at digitalhermit.com




More information about the fedora-list mailing list