Password Security

Contents

• Password policies
• Creating passwords
• Storage of passwords
• Storing passwords in applications

Password policies

There are no limits to an attacker's search for the right password. The options range from trying out random words to spying on the password using sophisticated wiretapping technology.

Computer security begins with assigning a reasonably secure password.

Passwords should not have any personal connection. Since attackers often use password lists, words that appear in a dictionary or are commonly used should not be used. Password lists are simple text files containing a large number of words, which are then automatically tried by a program. This allows simple passwords to be determined in a very short time. Password lists are available in virtually all languages and can be downloaded from various websites.

Before assigning a password, you should familiarize yourself with the password policies on your system. Company computers usually already have certain guidelines regarding what a password should look like. If this isn't the case, you should create your own password policy. The following guidelines are intended only as examples; depending on the sensitivity of the data, more stringent policies may be appropriate.

The password should...

• be as long as possible
• consist of uppercase and lowercase letters, as well as numbers
• not be in a dictionary
• contain special characters if possible
• not consist of words or numbers that have a personal connection
• not be a previously used password
• not be written down anywhere

Creating passwords

To avoid forgetting their password, many users choose easy-to-remember words, such as their own first name, the first name of a family member, their pet's name, or their girlfriend's name. But words like vacation, boss, love, secret, password, or keys right next to each other on the keyboard, such as QWERTZ, ASDF, or 12345, aren't as original as they seem.

Using random letters, numbers, and special characters certainly provides good protection, but such character sequences are also very difficult to remember.

Passwords don't necessarily have to consist of random letters. If a word consists of alternating vowels and consonants, or is made up of syllables, it is easier to remember, but also less secure.

Passwords composed of a sentence also appear random but are easy to remember. For example, the sentence "This sentence should make it easier for me to remember the password." can be converted into the password "Tssmiefmtrtp" by using the first letter of each word. If special characters and numbers are added, the password could look something like this: "T$$m1efmtrtp.".

Storage of passwords

To avoid forgetting a password, some users write it down on a piece of paper and hide it in various places. They believe that no one would ever discover this hiding place. Typical hiding places for passwords include notes stuck under the desk pad, under desk drawers, or behind the monitor.

Instead of using pieces of paper, passwords can be stored on the computer using special programs (password safes). These programs should store passwords in encrypted form. This means that only one password is required to remember. Without encryption - for example, in text files - passwords should never be stored on the computer.

The method known as "Social Engineering", in which the attacker poses as a network manager or system administrator and thus extracts the user's password, also works more often than one might think. No system administrator will ask a user for their username or password. Due to their system permissions, they can usually view all user data. You should be especially careful if an "administrator" contacts you on his own initiative without you having contacted him.

Storing passwords in applications

For security reasons, passwords are usually stored as hash values rather than in plain text. However, this is no longer sufficient given rainbow tables and brute-force attacks using cloud computing. Especially if a user uses an insecure or short password, the time required to crack the password is very short. It is not uncommon for several million passwords or hash values to be tested per second on regular PCs.

With a "salt", the security of a hash value can be increased to such an extent that rainbow tables and other attacks become less effective. Furthermore, round functions can significantly slow down the speed of attack programs.

Password Salt

To make attacks more difficult, a text string can be appended to the password being stored. This renders word lists used by password cracking programs unusable, and rainbow tables would also have to be recreated. The salt can be either a random text stored with the password or a specific static text that is available each time the password is verified. This could be a user's username or e-mail address, for example. Of course, both methods can also be combined.

hash = Hash_Method(Password + Username)

Round Functions

Typically, a password is passed to a hash function and stored. Attackers must do the same or use a pre-constructed rainbow table. However, if the hash value is passed back to the hash function, rainbow tables become useless. They would have to be recreated for this exact case, which would be very time-consuming. The more often a value is passed to the hash function, the more often an attacker has to do this for each individual password. This significantly reduces the speed of the attack.

hash = Hash_Method(Password)
for 1 to Count
  hash = Hash_Method(hash)

However, you don't have to limit yourself to the password or the hash value of the password alone. For example, the password can be appended to the previously calculated hash value on each iteration.