Previous Page | Next Page

  1. Introduction
  2. Your Needs
  3. What to Protect
  4. Security Policies
  5. Security Policy Requirements
  6. Incident Procedures
  7. Security Categories
  8. Software Vulnerability Control
  9. Hostile Software
  10. Network Layout
  11. Traffic Filtering
  12. Mail
  13. Firewall Protection
  14. Network Intrusion Detection
  15. Network Port Scanning
  16. Network Tools
  17. Passwords
  18. Types of Attacks
  19. Protocol Use
  20. Entry Points
  21. Cost
  22. Application Level Protection
  23. System Protection
  24. User Issues
  25. Other Recommendations
  26. Terms
  27. Credits

Passwords

Passwords are a primary piece of information that intruders will try to acquire in order to gain unauthorized access to systems or networks.

Password Storage

When users enter passwords for the network or operating system, they or some facsimile of them must be stored so there is something to compare user login attempts to. There are three primary choices for password storage:

  • Clear text
  • Encrypted password
  • Hash value of a password - Used by Unix and Windows NT

The storage locations may be:

  • Root or administrator readable only
  • Readable by anyone.

Passwords are more secure when they can only be read by the administrator or root account. Also the best password storage security is to store the hashed value of a password.

Typical Hashing Functions

  • UNIX - Algorithm similar to DES with 56 bit key. There are two random characters (salt) are added to the algorithm so two password values are not stored the same even if they are the same.
  • Windows NT - MD4 is used to generate a 128 bit value.

Password Protection and Cracking

Passwords should be chosen wisely and a dictionary word should never be used. This is because if an attacker can get the hashed or encrypted value of a password, they can run password guessing programs to eventually guess the password by comparing the encryped result of the guess to the actual encrypted password. The easiest password attack is a dictionary attack where dictionary words are used to guess the password. Other attacks include a brute force attack which can take much longer than a dictionary attack. This is why passwords should have a minimum length and a minimum degree of complexity. The complexity requirements should include three of four of the following four types of characters:

  • Lowercase
  • Uppercase
  • Numbers
  • Special characters such as !@#$%^&*(){}[]

For help in choosing passwords wisely see the article Tips for choosing Passwords that can be easily remembered, but are secure

Protocols to send passwords

  • PAP - Password Authentication Protocol - Used with Point to Point Protocol (PPP). The password is sent in the clear.
  • CHAP - Challenge handshake authentication protocol is preferred rather than PAP since the actual password is not sent across the internet or network.