A Guide To Better Password Practice

Refresher – Password Usage

Let’s be honest, passwords are annoying. These days, we need a password or PIN everywhere. We have so many that we can’t keep track of them all. We forget to update them; and when we do, it’s difficult to come up with effective ones that we can still remember, so we procrastinate changing them for months, even years. We all know this is bad, but the alternative – the painful, irritating password creation and memorization process – is sometimes more than we can tolerate. There is hope! Passwords don’t have to be complex cryptograms. A few simple methods can help make living with passwords a little easier.

While we may find them annoying, and even take them for granted, it is important to remember why passwords are important: passwords are often the first (and possibly only) defense against intrusion (MacGregor). They protect personal information – information we don’t want anyone and everyone to know. In our personal lives, this means financial information, health data, and private documents. In a professional context, this may encompass anything considered crucial to the success of the organization: trade secrets, financial data, intellectual property, customer lists, etc.

Passwords are simpler and cheaper than other, more secure forms of authentication like special key cards, fingerprint ID machines, and retinal scanners. They provide a simple, direct means of protecting a system or account. For the sake of this article, we’ll define a ‘password’ as a word, a phrase, or combination of miscellaneous characters that authenticates the identity of the user. Passwords are generally used in combination with some form of identification, such as a username, account number, or e-mail address. While a username establishes the identity of the user for the computer or system, the password, which is known only to the authorized user, authenticates that the user is who he or she claims to be. This means that their function is to “prove to the system that you are who you say you are” (Russell).

Password Cracking

While passwords are a vital component of system security, they can be cracked or broken relatively easily. Password cracking is the process of figuring out or breaking passwords in order to gain unauthorized entrance to a system or account. It is much easier than most users would think. (The difference between cracking and hacking is that codes are cracked, machines are hacked.) Passwords can be cracked in a variety of different ways. The most simple is the use of a word list or dictionary program to break the password by brute force. These programs compare lists of words or character combination against password until they find a match. If cracking codes seems like science fiction, search “password cracker” on Packetstorm or Passwordportal.net. There are also numerous password cracking tools available that any average person can use. (For more information on password cracking tools, please see the SecurityFocus article Password Crackers - Ensuring the Security of Your Password.)

Another easy way for potential intruders to nab passwords is through social engineering: physically nabbing the password off a Post-It from under someone’s keyboard or through imitating an IT engineer and asking over the phone. Many users create passwords that can be guessed by learning a minimal amount of information about the person whose password is being sought. (For more information on social engineering please see the SecurityFocus series Social Engineering Fundamentals) A more technical way of learning passwords is through sniffers, which look at the raw data transmitted across the net and decipher its contents. “A sniffer can read every keystroke sent out from your machine, including passwords” (University of Michigan). It’s possible that someone out there has at least one of your passwords right now.

How To Choose Good Passwords

Now that we have established the importance of passwords and some of the ways in which they may be vulnerable to cracking, we can discuss ways of creating good, strong passwords. In creating strong, effective passwords it is often helpful to keep in mind some of the methods by which they may be cracked, so let’s begin with what NOT to do when choosing passwords.

No Dictionary Words, Proper Nouns, or Foreign Words

As has already been mentioned, password cracking tools are very effective at processing large quantities of letter and number combinations until a match for the password is found, as such users should avoid using conventional words as passwords. By the same token, they should also avoid regular words with numbers tacked onto the end and conventional words that are simply written backwards, such as ‘nimda’. While these may prove to be difficult for people to figure out, they are no match for the brute force attacks of password cracking tools.

No Personal Information

One of the frustrating things about passwords is that they need to be easy for users to remember. Naturally, this leads many users to incorporate personal information into their passwords. However, as is discussed in the Social Engineering Fundamentals, it is alarmingly easy for hackers to obtain personal information about prospective targets. As such, it is strongly recommended that users not include such information in their passwords. This means that the password should not include anything remotely related to the user’s name, nickname, or the name of a family member or pet. Also, the password should not contain any easily recognizable numbers like phone numbers or addresses or other information that someone could guess by picking up your mail.

Length, Width and Depth

A strong, effective password requires a necessary degree of complexity. Three factors can help users to develop this complexity: length, width & depth. Length means that the longer a password, the more difficult it is to crack. Simply put, longer is better. Probability dictates that the longer a password the more difficult it will be to crack. It is generally recommended that passwords be between six and nine characters. Greater length is acceptable, as long as the operating system allows for it and the user can remember the password. However, shorter passwords should be avoided.

Width is a way of describing the different types of characters that are used. Don’t just consider the alphabet. There are also numbers and special characters like ‘%’, and in most operating systems, upper and lower case letters are also known as different characters. Windows, for example, is not always case sensitive. (This means it doesn’t know the difference between ‘A’ and ‘a’.) Some operating systems allow control characters, alt characters, and spaces to be used in passwords. As a general rule the following character sets should all be included in every password:

• 
  uppercase letters such as A, B, C;
  



• 
  lowercase letters such as a, b,c;
  



• 
  numerals such as 1, 2, 3;
  



• 
  special characters such as $, ?, &; and
  
  



• 
  alt characters such as µ, £, Æ. (Cliff)
  

Depth refers to choosing a password with a challenging meaning – something not easily guessable. Stop thinking in terms of passwords and start thinking in terms of phrases. “A good password is easy to remember, but hard to guess.” (Armstrong) The purpose of a mnemonic phrase is to allow the creation of a complex password that will not need to be written down. Examples of a mnemonic phrase may include a phrase spelled phonetically, such as ‘ImuKat!’ (instead of ‘I’m a cat!’) or the first letters of a memorable phrase such as ‘qbfjold*’ = “quick brown fox jumped over lazy dog.”

What may be most effective is for users to choose a phrase that is has personal meaning (for easy recollection), to take the initials of each of the words in that phrase, and to convert some of those letters into other characters (substituting the number ‘3’ for the letter ‘e’ is a common example). For more examples, see the University of Michigan’s Password Security Guide.

Extra Protection

All of the good password cracking programs include foreign words, backwards words, etc. And the easiest way to steal a password is by asking for it, so it’s simpler to never give it away.

In some cases, a good password is enough protection to keep out intruders. In others, it’s just a start. Encryption and one-time passwords add extra protection to systems. Encryption means garbling the password to protect from sniffers or other onlookers, through a particular scheme that can be deciphered from the other end of the connection.
One-time passwords (S/key is the most commonly used) are just that. They can be used only once. This requires carrying a list of passwords or having a special password calculator or SecureCard, but can be a very reliable method of password security.

There are also certain behaviors that users should practice in order to maximize the effectiveness of their passwords. Users should avoid using the same password on multiple accounts. Doing this creates a single point of failure, which means that if an intruder gains access to one account, he or she will have access to all of the user’s accounts. Users should never disclose their passwords to anybody unless they know them to be authorized (i.e., systems administrators). Even then, passwords should only be disclosed in person (not over the phone or by e-mail) to a known, trusted source.

Users should exercise extreme caution when writing down or storing passwords. Stories of hackers obtaining passwords through shoulder-surfing and dumpster diving are not urban myths, they are real. Users should resist the temptation to write down passwords on Post-It notes stuck to their monitors or hidden under their keyboards. Instead, they should choose passwords that they will be able to remember – not an easy task given the complexity required of strong, effective passwords.

There are always extraneous circumstances where we must write down passwords. This is not recommended, but if it must be done, it should be done with forethought, not haphazardly. The extreme example of too many passwords is contract system administrators, who have multiple clients and machines. For these people, the only advice is to write down the phrases or some sort of related thought to jog your memory and put it on a piece of paper carried on your person. Maybe photocopy that and leave that stored in a safe place at home. Never put it on a Post-It. Never store it online. An obscured hint might be okay, but never the actual password or even an encrypted version.

Changing & Storing Passwords and PINs

In order to ensure their ongoing effectiveness, passwords should be changed on a regular basis. Changing passwords securely is fairly simple. Windows passwords are changed through the Control Panel and in UNIX, the ‘passwd’ command generally does the trick. A good rule of thumb is to change passwords as close to the actual account as possible. For example, if it’s an ISP account, don’t telnet through three other machines to change that password. If it’s an office computer, users should be on that computer and not on a co-worker’s when changing it. Don’t let anybody watch while typing the old and new passwords. If at all possible, the password should be changed over a secure connection like a secure shell (SSH).

How often one should change passwords really depends on the account. Online financial accounts should be changed every month or two. Corporate network passwords should be changed every 3-4 months. A recent 2600 article recommended considering the “sensitivity of the resources which you are trying to protect” and suggested “enforcing password changes somewhere between once per fiscal year and once per fiscal quarter” (Thomas). Just use good judgment and don’t be lazy. Changing a password is relatively quick and painless compared to the irritating and expensive process of combating identity theft.

Tips for Organizations and Network Administrators

Managers and administrators can enhance the security of their networks by setting strong password policies. Password requirements should be built into organizational security policies. Network administrators should institute by regular changes/updates of passwords. They should also regularly remind users of how easy it is for hackers to get their passwords through social engineering and online attacks. New users should be taught about good password practices. Providing intranet resources on network security and password security can also be helpful. Finally, the organization’s password policy should be integrated into the security policy, and all readers should be made to read the policy and sign-off on it.

Systems administrators should implement safeguards to ensure that people on their systems are using adequately strong passwords. They should set password expiration dates on all programs being run on the organization’s systems. Keep a password history to prevent reuse, and lock of accounts after 3-5 password attempts. Keep the number of people in the organization who have these passwords as small as possible. The organization should also use newer versions of OSs that have more secure password files and authentication protocols. Keep your individual account passwords updated as well. Finally, when installing new systems, make sure default passwords are changed immediately.

New Year’s Resolution

Obviously, passwords are just one piece of the puzzle. Other pieces are general user education, good physical security, plugging network holes, and installing strong firewalls. These provide much more global protection in the controlled corporate environment than passwords alone, but in areas where the only method of control users have is a PIN or password, the best thing we can do is be aware of security risks and keep up with their password controls.

Using Hashing Algorithms (SHA1 and MD5) In .Net to Secure Passwords 

   Securing application has always been a tough task for developers. Security threats have been minimized by various means, some of them are Encrypting Query string, Placing important configuration informations in secure places such as in Windows Registry, Encrypting Password in database etc.


   Here we will discuss the two common hashing algorithms i.e SHA1 (Secure Hashing Algorithm) and MD5 (Message Digest Algorithm). They are said to be irreversible, you can?t decrypt them. They are said to be secure since it computationally infeasible to reverse the process to discover the original message from the digest. They are therefore frequently used to produce a unique one-way hash representation of a sensitive message.

   SHA1: The algorithm is able to take a very large message and produce a 160-bit message digest. 

   MD5:The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "message digest" of the input.

   We will now implement these algorithms to secure passwords in database. It is not a good practice to put them clear in database. Storing passwords as a clear test means that you are potentially trying to breach you application yourself.

?Consider a table with two columns, "Name" and "Password". Assume the passwords store in the table are in clear text format.? We will now apply hashing algorithms to produce message digest and secure them.

   .Net provide various namespaces to implement SHA1 and MD5 Hash Algos. System.Security.Cryptography namespace which can be used for producing SHA1 message digests. System.Web.Security can also be used to implement them.

   I will use System.Web.Security namespace as an example. Remember that reference of System.Web is not included by default in windows application. You have to add it manually.

   For web projects, Visual Studio automatically add the reference of? System.Web and you have to just add using keyword to put its reference in your code.As we are developing a windows application therefore we have to explicitly add the reference of System.Web.dll as above.?Create a windows application and put some controls (as shown below) in the main form and insert the code in the button click event.

private void btnEncrypt_Click(object sender, System.EventArgs e) { ? //Encrypting password. Applying SHA1 Encryption Algo ? this.txtEncryptedPassword.Text = EncryptingPassword(); ? updatePasswordInDB("Server=Fahad; database=TestDB; uid=sa; pwd=sqladmin"); } public? string EncryptingPassword() {    //Return Encrypted Password ? return FormsAuthentication.HashPasswordForStoringInConfigFile(this.txtPassword.Text.Trim(), "SHA1");? }

   Right now, ignore the "updatePasswordInDB" function. We will?discuss it below.?I have just called a function EncryptingPassword( ) . This function returns the encrypted?
message of text in Clear Password textbox. The result you can see in second textbox.

 

For MD5 just replace SHA1
to MD5.

FormsAuthentication.HashPasswordForStoringInConfigFile(this.txtPassword.Text.Trim(), "MD5");??

   The message length for MD5 is shorter than SHA1. This is the 128 bit and 160 bit encryption difference.?In order to update it in database, we have to open connection and execute command on it. The function which do the above task is somewhat like this.

public void updatePasswordInDB(string connectionString){ ?? SqlConnection objConn= new SqlConnection(connectionString); ?? objConn.Open(); ?? SqlCommand objcmd? = new SqlCommand("update TestEncryption set password = '" + ?? ????????????????????????? ?this.txtEncryptedPassword.Text.Trim() + "' where name = 'Qamar'", objConn); ????????????????? objcmd.ExecuteNonQuery();  }

   Dont forget to import the necessary namespaces for database handling. Note that I have updated the password for user named ?Qamar? only. It?s an example query but you can generate your own what your business requirements needs.

   The final table view now will become

   Now when you have to authenticate the user then you can simply convert his/her given password to the respective message digest and compare with the one stored in database. Although this is not the end. Many other different algorithms are still there but if you are prepared only for one sided conversion, they are the bests.

 

Attachments:

Project Files : Qamar_Encryption.Zip

By Qamar Ahmad Hafeezi

Tips for Selecting and Protecting Passwords

Tips for Selecting and Protecting Passwords

07/28/2008

by Mr. Power Pass

Passwords are a ubiquitous part of our lives. Some of us punch in dozens of passwords daily: when accessing ATM machines, computers, voicemail systems, e-mail systems, broker or bank Internet services and many others. Often, your most important personal and financial information is accessed by these passwords. To protect your information, password security is vital. Identity theft is the fastest growing crime in the United States, and most identity theft happens as a result of lost or stolen passwords. To protect passwords, consider the following:

• Avoid using the same password for different purposes. Using the same password enables thieves to more easily access your various accounts.


• When it comes to passwords, long (eight or more characters) is better than short.


• Many thieves use what is often called “dictionary attacks” to figure out passwords. Rather than use words or names as passwords, consider inserting numbers or special characters in your password. For instance, instead of ‘Mary,” use something along the line of Ma#r2Y%. This makes it much more difficult for thieves to guess or systematically duplicate your password.


• Also, consider using several uppercase letters in your password. To take advantage of this, make sure that the password is “case sensitive.”


• Avoid using personal information, such as the dates of your birthday, your dog’s name or your spouse’s name. These are too easy to guess once a thief gains some personal information about you.


• Thieves have been known to set up duplication software on computers in kiosks, Internet cafes and even libraries. This software enables them to track keystrokes and, thus, gain information about passwords. To thwart this, type in a long string of letters, keystrokes, and special characters, making sure that the string includes all the characters of your password. Then, cut and paste the individual characters of your password into your password field. It’s virtually impossible for duplication software to track individual characters when using this technique.


• Change your passwords frequently. You leave yourself vulnerable when you have the same passwords for months or years at a time.


• It may sound improbable, but some people write their password on a sticky note and attach it to their computer. Avoid writing down your password, and never share your password with anyone.


• When leaving your computer for any length of time, be sure to log out -- even when at work. You’ll have to log in again, but the few added seconds are worth it.


• When surfing the Web, use the strongest available encryption if you are transmitting your password across the Internet. Many Web sites offer an option to use a secure login.


• When you have personal information that is highly confidential, store it on a CD, Zip disc or other portable storage vehicle that you take with you, rather than leaving the information on your computer’s hard drive.


• Be aware that some sites may not allow special characters or upper-lowercase distinctions when creating passwords. Review the site’s recommendations when choosing your password.

In conclusion, password protection is a matter of awareness. When typing in a password while in a public place (ATM, library, kiosk, etc.), make sure that no one can see what you’re typing. Keep your passwords in a safe place so they don’t fall into the wrong hands. And change your passwords often, especially when you feel they may have been compromised, or when others have used them (even trusted friends or associates).