Words that Fail to Pass

Computer users have accounts for email, Internet access, banking, shopping, travel reservations, and a whole gamut of other purposes. These accounts are accessed using passwords. Why are passwords necessary? (For security). What is a password? (A secret word). Are some passwords good and some passwords bad? (Yes). Is it possible to find out other people’s passwords? (Maybe).

How many different passwords do you have? How many different passwords do you really need? Do you remember all of your passwords? Have you told your password to anyone? The concept, use and secretive nature of passwords evoke a lot of questions in the minds of us, who have to use them. The questions are straightforward but answers are not. In fact, the whole scheme of using passwords to protect accounts has become rather questionable.

A password is a secret. The best-known password, of course, is “Sesame” made famous by the command “Open Sesame” in the Arabian Nights fable of Ali Baba. Today the password pretty much works the same – it opens doors for you. How secure is your password? That is, can someone who wants to know your password, get to know it, even if you do not divulge it? The truth is actually a little bit scary.

A computer system is managed, run and maintained – or rather “administered” by one or more humans who are called System Administrators (or sysadmin for short). Sysadmins are demi-Gods and have powers significantly beyond us, lesser mortals. They can see, hear and feel everything on the computer system. Nothing is secret from them, and they have a tradition of extreme righteousness. A sysadmin will never reveal anything about one user to another, or use the information he or she has access to, in any harmful manner. When computers were few and far between, the few honest people that existed on earth, became sysadmins. Now that computers almost outnumber humans, the population of sysadmins has, by necessity, exploded. No longer can we assume every sysadmin is upright. Hence, one source of stolen passwords is the people who are entrusted with them. Luckily, the vast majority of system administrators are beyond reproach.

Suppose Alice uses one of the many web based Email services, such as Yahoo. Alice has an account with the good people at Yahoo and chooses a password, and let us assume her password is “apple”. Like most responsible people, Alice has never told anyone her password – not even to her closest friends, nor her family, nor even her trusty dog. Bob however is a person with questionable intent and wants to find out Alice’s password. How can Bob do it? Let take a random walk through the jungle of password handling to get some insight into the art of stealing passwords.

Passwords came on the computing arena with the advent of interactive computing in the mid to late 70’s. In those days, roomfuls of terminals were hooked up to a large boxy machine and tens of glassy-eyed geeks would spend over 30 hours a day pounding the keys in search of the soul of the machine. Soon, some geeks realized it was necessary to keep most of the information they stored on the computer from the prying eyes of a few other geeks who seemed to have very long noses and too much time on their hands. And soon the password scheme was born.

Every user of the machine has a username and a password. You cannot access anything belonging to Alice, without knowing her password. Since the password is considered very secret, even the computer itself is not trusted to securely store the passwords. The power of encryption is used to protect the passwords. When Alice chooses the password apple, the computer encrypts it and the result looked like gibberish, for example P2qwE3x. Instead of storing the word “apple” as Alice’s password, the computer stores the word “P2qwE3x” as Alice’s password. When Alice tried to sign on to the computer, the computer asked for her password. She types “apple” and then the computer encrypts “apple” and gets the result “P2qwE3x”. Since this result matches the stored password for Alice, the computer recognizes Alice as Alice. (This scheme still used in Unix and Windows NT systems, but not used on the web based systems, as the encryption scheme makes password recovery a little inconvenient – if Alice forgets her password, no one can find it).

Bob in his quest for Alice’s password tried to bribe the sysadmin and failed. Now what is he going to do? The first three techniques he can use are called guessing, cracking and social engineering. It is amazingly easy to guess passwords. A majority of people uses the name of a significant object as a password – spouse, loved one, the trusty dog, the pet rock and such. Even today, it is estimated that almost half the passwords in use can be guessed by some easily available information about the owner of the password.

If guessing does not work, then its time to do bring out a bigger gun, cracking. The first cracking method is to try all the words in a dictionary. Cracking using a dictionary works rather well. “Not possible”, you think, “the dictionary has too many words”. The dictionary is big by human standards, but for a computer it is no big deal. For obtaining a very important password, the time spent is well worth it. The English language has fewer than 1 million words. A slow computer can process 10 words a second, and will take 28 hours to check a million words. A fast computer can easily do anywhere between 100 to 1000 words a second, making the time needed vary from 2.8 hours to 17 minutes. There are optimizing tricks that can actually cut the time to do a dictionary search to about a minute. In case the password is not in the dictionary, there are several brute-force cracking techniques which can take from a few days to hundreds of years depending upon how complex the password is.

Social engineering on the other hand, does not depend on the speed of any computer. Bob hires a charming fellow, Charlie. Charlie sweet-talks Alice into revealing her innermost secrets, including the password. This technique is of course very old and has been perfected by large companies and governments who successfully obtain top-secret information using, shall we say, social engineering.

If you have a password that is long, and does not appear in a dictionary, and you are not very susceptible to schmoozing, you are probably feeling quite smug. Perish the thought. Guessing and cracking are tools of the past, stealing passwords today is easier than ever. Thanks to the architecture of the networks we use and the way web services are managed. Why bother with guessing and cracking when we can indulge in grabbing and sniffing?

Let us follow Alice into a cyber café and watch her check her email. She connects to Yahoo and types in her password. The password is read by the computer belonging to the cyber café, from the keyboard and then sent over a phone line to a computer belonging to an ISP (internet service provider). The ISP computer then sends it over the backbone network to a router, which forwards it yet another router, and after a few bouncing trips around the world the password is received by one of the hundreds of computers at Yahoo’s computer farm.

The above process is riddled with vulnerabilities and at many points the password can be intercepted and stolen. The most secure channel in the above scenario is probably the phone connection from the cyber-cafe to the ISP. First, the computer at the cyber café, very likely has a grabber. A grabber is a little small, stealth program that records all keystrokes on the computer, and can figure out which keystrokes are actually passwords. Grabbers are a real problem with public computers. Even if the computer you use is completely private, it is possible for someone else to install a grabber on your machine by sending you a virus-like program via Email. Such grabbers Email the passwords back to the person who planted the grabber. Isn’t that special?

After the password leaves the cyber café computer and is making its long trek to the Yahoo computer, it encounters sniffers. Sniffers are programs running on intermediate computers that “sniff” the communication traffic for passwords and other important information. Miscreants who install sniffers on the network amass thousands if not millions of passwords in a matter of a few days. The underbelly of the cyber world is a vast hackers paradise.

Apart from sniffing and grabbing there are other vulnerabilities. The computers at the email provider (such as Yahoo) stores Alice’s password. It may be possible for a wily hacker to break into Yahoo and steal passwords. While Yahoo is a very careful company and guards their machines very well, other operators have suffered from beak-ins.

It is possible for a employee working for a email provider to read Alice’s password. A lot of people at large email sites have access to password information. This does not seem to be much of a problem, as after all the email site stores all the email too. Hence, an employee may be able to read Alice’s email without Alice’s password. What is really sinister is that Alice, like many people, uses the same password for both her email and her banking account. Get the picture? A person working for an Email company can access Alice’s bank account!

Given such a gamut of security risks it is quite disturbing that passwords are actually used. The attractiveness of the password scheme is the sheer simplicity. Are there and alternatives that are safer? Yes.

Over the years technology has devised many methods to make cyberspace secure. Cryptography is almost the panacea. Using well-known cryptographic techniques, it is possible to completely eliminate weak passwords, password grabbing, sniffing, and stealing. Even service provider employee misbehavior can be protected against. These techniques include public key encryption, digital certificates, challenge response authentication, and they have some stunning characteristics. A person’s password is so secret and so secure that it is not even chosen by the person. It is never divulged to any computer or service provider. That is, Yahoo or your bank, or your ISP would never know your password. It is never typed on a computer, it is never transmitted over networks. It is virtually impossible to be obtained by hacking or cracking. Yet, it is possible for Alice to use her password (actually called a private key) to prove to Yahoo that she is indeed Alice. Even if Bob observes Alice authenticating herself to Yahoo, he cannot mimic her and assume her identity. It is amazing and quite unbelievable technology, which can be embedded in tiny smart cards.  Smart cards however, are not as convenient to use as passwords. Hence they have not become popular, yet. However, safety has a price.

Partha Dasgupta is on the faculty of the Computer Science and Engineering Department at Arizona State University in Tempe. His specializations are in the areas of Operating Systems, Cryptography and Networking.