Password Authentication Issues
On This Page
The Problem With Passwords
Password-based authentication, by far the most commonly
used method, suffers from problems that can weaken its effectiveness
and make it less desirable for high-security environments. Problems
include:
- Shoulder surfing. People may look over your
shoulder when you type your password in an attempt to learn your
password.
- Post-it notes. People often write down hard
to remember passwords and store them next to their computer.
- On-line attack. Automated attack tools attempt
to log in to a system by guessing passwords. Often a dictionary
is used to speed up the process. Sometimes a "brute-force attack"
is implemented where all permutations of characters will be used
for the guessing.
- Offline attack. This is similar to an on-line
attack except that the attacker works offline making it impossible
to detect. The attacker obtains a copy of the encrypted password
and then guesses at passwords by mimicking the login verification
process. Both dictionary and brute-force guessing can be used
in these attacks.
- Trojan horse login program. A program that
replaces the program used to log people in, which is installed
by an attacker who has broken into a computer. As legitimate users
attempt to log in, the replacement program records their usernames
and passwords to a file. Later, the attacker picks up the file
containing the usernames and passwords.
- Keyboard sniffer. A program that an attacker
installs on the user's computer that records everything typed
on the keyboard. The attacker then looks for logins to remote
systems.
- Network sniffer. A network sniffer enables
an attacker to record login sessions as they appear on the network.
- Synchronizing passwords. Using the same
password for more than one system is an unsafe practice for a
user of multiple systems. If one of these systems is less secure
than the others, all systems sharing the common password are vulnerable
to an attacker who compromises the less secure system and learns
the user's password.
Attackers against University of Michigan systems have
employed all of these techniques.
Reducing the Risk of Password Problems
Several preventative measures can reduce the risk
associated with password-based systems. These include:
- Secure computers. Secure all systems thoroughly
enough that Trojan login and keyboard sniffer programs cannot
be installed, or at a minimum, can be detected right away.
- User education. Educate users in the selection
of good passwords and how to safely store and protect their passwords.
- Enforce difficult to guess passwords. Where
possible, use dictionary checks when users are changing their
passwords. Reject easily guessed passwords and suggest the use
of extremely random passwords such as "g>T5(svX!aZ3."
- Lockout accounts. If available, disable
accounts after a certain number of online login attempts have
been unsuccessful. Use caution with this approach, because an
attacker may use this method to purposely disable accounts.
- Password aging. Require users to choose
a new password after a certain amount of time (e.g. every 30 days).
Although considered a "good practice," this is often seen as the
primary reason why users select weak passwords and/or write them
down.
- Perform preventative attacks. Routinely
perform offline attacks on passwords and ask anyone with an easily
guessed password to change it.
- Encryption. Use encryption for all network
traffic containing login sessions.
All of these measures must be maintained and enforced;
otherwise the risk associated with reusable passwords will emerge
again.
Unfortunately, offline attacks, which are among the
more serious types of attacks, cannot be prevented in the current
Kerberos environment at U-M. Attack code exists which attempts to
mimic the login sequence of a Kerberos login and obtain a data structure
encrypted with a user's password. The attack code uses a dictionary
or brute-force to guess a user's password. Ensuring that users do
not select easily guessed dictionary-based passwords is a must,
and accounts that are of special significance should have passwords
as long as possible and be made up of random character sequences
to thwart brute-force attacks.
Alternative to Password Authentication
Strategies can be implemented to mitigate the risk
associated with passwords, but ultimately, the reusable nature of
passwords makes them difficult to protect. To address these issues
adequately in an open environment like the University of Michigan,
the resources and commitment necessary to reduce the risk of reusable
passwords campus-wide is substantial.
To provide better protection, passwords must be combined
with a nonreusable component. In other words, one-factor authentication
based on passwords offers one level of protection, but two-factor
authentication based on passwords and a single-use token offers
far better security.
Currently, SecurID cards are the most commonly used
two-factor authentication mechanism available for U-M administrative
systems. SecurID cards are tamper-resistant cards that generate
a one-time password using a cryptographic algorithm. The one-time
password changes regularly (e.g. every 30 seconds), and can be used
only once. This one-time password combined with a reusable "pass
phrase" make up a two-factor authentication process. A user must
know the pass phrase and must possess the SecurID card (to get the
one-time password) to authenticate.
Logistics and cost present the biggest drawbacks of
this type of two-factor authentication. The distribution and maintenance
of cards is complicated and expensive. Costs include the purchase
of cards, software licensing, and staff resources to administer
the distribution and maintenance of cards. In addition, the SecurID
solution requires that users know the whereabouts of their SecurID
card. Many users see this as a burden, particularly those unfamiliar
with the weaknesses of traditional reusable password systems.
Next section: Two-Factor
Authentication Project Team
|
CONTACT US
