198 lines
10 KiB
HTML
198 lines
10 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Choosing Good Passwords LG #68</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
|
|
WIDTH="600" HEIGHT="124" border="0"></A>
|
|
<BR>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="nazario.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue68/nazario2.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="qubism.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Choosing Good Passwords</font></H1>
|
|
<H4>By <a href="mailto:jose@cwru.edu">Jose Nazario</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
|
|
<p>
|
|
Right now I'm running Crack on some people, and I'm doing a lot of
|
|
thinking about passwords and how to generate good ones. Specifically, what
|
|
sorts of things I can do to get better ones. I was recently asked by a
|
|
friend about any ideas on passwords and about sharing them at our local
|
|
event "LinuxDay". I'll take some time now and discuss passwords with you
|
|
now. Passwords provide our most major defense against unauthorized use of
|
|
our systems, so let's keep them good, even in the presence of crypto,
|
|
firewalls, and rabid dogs.
|
|
|
|
|
|
<p> OK, so this is how I generate passwords for myself: I reach over, grab
|
|
the nearest issue of <a href="http://www.nature.com/">"Nature"</a>, open
|
|
it up to a genetics article and point to some gene construct name and use
|
|
that. No lie. It's how I chose good passwords. Random, complex, easy to
|
|
generate. Granted, a lot of dictionaries have now included gene names, but
|
|
these are construct names, which differ from gene names. So, instead of
|
|
something like "Brc1" it's more like "pRSET5a::20STa::6xHis". You can
|
|
shove the latter in any cracking program and it will not fall out quickly,
|
|
I can almost garauntee it.
|
|
|
|
<p>
|
|
The trick is this: users dislike complex passwords. They're difficult to
|
|
remember, they'll cry. And they're right. To overcome that, they'll
|
|
either write it down on some post-it note on their monitor or change it to
|
|
something silly, like "LucyDoll".
|
|
|
|
<P>Most importanly, a password should roll off the fingers. It should be
|
|
typed quickly and efficiently, and of course corectly. For that matter, I
|
|
sometimes will type it ten times quickly to generate the rythm of it, and
|
|
that works.
|
|
|
|
<P>Quickly, a diversion to the Crack 5.0a documentation, this is ripped
|
|
from the appendix. It deals with password security and security in
|
|
general, and is some good wisdom:
|
|
|
|
<BLOCKQUOTE>
|
|
At the bottom line, the password "fred" is just as secure (random) as
|
|
the password "blurflpox"; the only problem is that "fred" is in a more
|
|
easily searched part of the "password space".
|
|
|
|
Both of these passwords are more easily found than "Dxk&2+15^N"
|
|
however. Now you must ask yourself if you can cope with remembering
|
|
"Dxk&2+15^N".
|
|
</BLOCKQUOTE>
|
|
|
|
<P>OK, great, we've chosen a good password... oh crap. We have about ten
|
|
accounts, some on BBS's, some on systems we can't ssh to, and
|
|
some are the root passwords on systems we administer for major businesses.
|
|
or we have to rotate them often. How do we keep track of them all?
|
|
|
|
<P>Myself, I do two things: I keep <em>levels</em> of passwords. I have a
|
|
handful of passwords for disposable things. Yeah, if someone grabs a
|
|
password of mine I use on a BBS and posts some flamebait, I will get some
|
|
flack. But honestly, I doubt anyone will do that, it's the systems I care
|
|
about and administer that I really protect. Hence, I cycle passwords
|
|
there, using very strong passwords that <strong>never</strong> go out on
|
|
the wire without some strong crypto behind them (ie secure shell). A new
|
|
password is chosen (randomly), and the old ones are bumped down the chain
|
|
to less demanding positions, system and accounts. I use the tricks I
|
|
outlined above, and it has paid off. Sometimes I forget them, and that's
|
|
always a scary moment, but it's usually no more than a minute or two.
|
|
|
|
<P>Keeping track of multiple passwords is easily handied using the
|
|
<A HREF="http://www.counterpane.com">Password Safe</A> from Counterpane
|
|
systems, but that only works on Windows systems. I once started writing
|
|
the implementation for Linux, but given my poor programming skills and
|
|
heavy load of other things, I doubt it will ever see the light of day (it's
|
|
sitting idle now, if anyone wants to know). I do, however, often reccomend
|
|
this program to people with lots of passwords to remember. Other similar
|
|
applications exist for the Palm Pilot of other PDAs, which protect a bank
|
|
of passwords with one password. Since most Linux geeks I know also have
|
|
PDAs, this would be a handy solution.
|
|
|
|
<P>For some real fun, though, check out FIPS 181 (1), a scheme the
|
|
government uses to generate passwords based on pronounceable sounds. It's
|
|
pretty cool, and I started playing with it (via Gpw, a related
|
|
tool(2)). And check out how Crack (3) works, it's chez pimp. For
|
|
comparison's sake, find out how L0phtCrack (4) works, and you'll snicker
|
|
at NT's security. If you're feeling particularily brave and have some
|
|
computing power to burn, consider brute forcing passwords (6), which is an
|
|
interesting problem in dictionary generation and optimization of routines.
|
|
|
|
<h3>Notes and Links:</h3>
|
|
|
|
<P>1. FIPS 181 is Federal Information processing Standard 181. The
|
|
document can be found (with source for DOS) at <A
|
|
href="http://www.itl.nist.gov/fipspubs/fip181.htm">http://www.itl.nist.gov/fipspubs/fip181.htm</a>.
|
|
A companion FIPS document, <a
|
|
href="http://www.itl.nist.gov/fipspubs/fip112.htm">FIPS 112</a>, discusses
|
|
the usage and considerations of passwords.
|
|
|
|
<P>2. Gpw is a UNIX utility in C/C++ (and Java, too) to generate
|
|
pronoucable passwords. Handy and fun. <A
|
|
href="http://www.multicians.org/thvv/gpw.html">http://www.multicians.org/thvv/gpw.html</a>
|
|
. An additional one can be found on <a
|
|
href="http://freshmeat.net/projects/apgd/">http://freshmeat.net/projects/apgd/</a>.
|
|
|
|
<P>3. Crack 5.0a source can be found at <A
|
|
HREF="http://www.users.dircon.co.uk/~crypto/">http://www.users.dircon.co.uk/~crypto/</A>.
|
|
It can also be found at <a
|
|
href="http://packetstorm.securify.com/Crackers/crack/">http://packetstorm.securify.com/Crackers/crack/</a>
|
|
|
|
<P>4. L0phtcrack... how I love thee. <A
|
|
HREF="http://www.l0pht.com/l0phtcrack/">http://www.l0pht.com/l0phtcrack/</A>
|
|
. Mudge tells us how L0phtcrack works at this realaudio presentation from
|
|
beyond Hope, 1997, NYC (1 hour) <A
|
|
HREF="http://www.2600.com/offthehook/rafiles/l0pht.ram">http://www.2600.com/offthehook/rafiles/l0pht.ram</A>
|
|
(Note that since this piece was originally written, L0phtcrack version 3
|
|
has been released. Several people have noted a dramatic drop in the
|
|
efficiency of cracking passwords, though new extraction tools have been
|
|
incoporated into the code. Many people I know who use L0phtcrack use
|
|
version 2.52 for cracking after extractions with version 3.)
|
|
|
|
<p>5. John the Ripper is another useful password cracking utility. Several
|
|
modules for cracking S/Key and MD5 passwords have been introduced lately.
|
|
<a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a>.
|
|
|
|
<p>6. This is a great description of brute forcing passwords and some of
|
|
the techniques involved... I may have to try it! <a
|
|
href="http://attila.stevens-tech.edu/~khockenb/crypt3.html">The ambitious
|
|
amateur vs. crypt(3)</a>
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN bio *** -->
|
|
<SPACER TYPE="vertical" SIZE="30">
|
|
<P>
|
|
<H4><IMG ALIGN=BOTTOM ALT="" SRC="../gx/note.gif">Jose Nazario</H4>
|
|
<CITE>José is a Ph.D. student in the department of biochemistry at Case
|
|
Western Reserve University in Cleveland, OH. He has been using UNIX for
|
|
nearly ten years, and Linux since kernels 1.2.</CITE>
|
|
|
|
<!-- *** END bio *** -->
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2001, Jose Nazario.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 68 of <i>Linux Gazette</i>, July 2001</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="nazario.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue68/nazario2.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="qubism.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|