Are Passwords Dead? (Part 1)

Over the last 30 years of information security, there has been one constant protection mechanism deployed on systems all over the world: passwords. Be it your four digit automatic teller machine PIN, your eight character Windows workstation password, or the WEP key protecting your wireless network, the idea of “something you know” has been the one factor of authentication everyone can live with. But have we reached a point where passwords are obsolete?

Over the years, passwords and how they are handled have changed. On UNIX systems, the cryptographic hashes of passwords used to be stored in a world readable file. However, as attackers became more savvy and computers got faster, these cryptographic hashes could be used to perform offline brute force password guessing. So on modern UNIX systems, the passwords are in files that are only readable by the superuser.

Also, Cisco routers used to be considered so secure that passwords were stored in the clear in the configuration file. Then, as network engineers became more security minded, Cisco developed a simple Caesar cipher to obscure the password. This was only marginally better than the cleartext password as hackers were able to ‘unobscure’ the text in milliseconds. Now Cisco devices have the capability to store passwords as cryptographic hashes in a similar manner to what is used in most UNIX systems.

But the future of the password is looking increasingly uncertain. Attackers have become very sophisticated and computers have now achieved phenomenal computing and storage capability. Do more complex passwords really matter? Or should enterprises consider migrating to other authentication mechanisms such as smart cards and biometrics?

Access to the hashes
Most modern password systems do not actually store the cleartext password. Rather, a cryptographic hash is stored instead. A hash is a one way function where a piece of text is run through the hashing algorithm to come up with a unique string of characters for that text value. MD5 and SHA-1 are two common hashing mechanisms used today. For instance, running the string “test” through MD5 will always yield the string d8e8fca2dc0f896fd7cb4cb0031ba249. Finding another string that results in the same value is very difficult. Also, it is impossible to reverse MD5 to take that string of characters and find out that the input string was “test.

The first and most critical step to password security is protecting access to the password hashes. If an attacker can get to a database of hashes, they can attempt to begin guessing password values and comparing the resulting hashes against the hash values in the database. Assuming an attacker is not looking to break into a specific account, but rather any account in an effort to compromise data on the target host, then one guessed password out of thousands of accounts may be all that is necessary. One user on a host with an easily guessed password may ultimately lead to the compromise of the entire system.

That’s why password hashes are now well protected on most systems. As stated earlier, the hash file on a UNIX host is now stored as readable only by root. In Windows, the hashes are stored in the registry and the SAM database that are only accessible by Administrator. Even with these protections, there are still times when these files are compromised.

Furthermore, sometimes hashed passwords go across the network “in the clear” such as instant messaging logins, Windows share access, or even some types of Webbased authentication. How can users and administrators protect themselves when password hashes are obtained?

To be continue in part 2.