Klein, D. V. (1990). Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Security Workshop (pp. 5-14).
The article ‘‘Foiling the Cracker’’: A Survey of, and Improvements to, Password
Security by Daniel V. Klein was published in 1990. Klein looks into system security and discusses how people can hack passwords. He claims that the issue of security has always been a challenge to most individual accounts as there are people who know how to manipulate such accounts such that they hack them and get vital information about another party. He discusses the various ways in which technology has motivated the interference of system security by some people. He offers information on how some people can break individual accounts. He also discusses the several ways in which the crackers can be exposed. He then recommends a way in which system security can be improved.
He introduces the paper by acknowledging that users and developers of Unix have faced various challenges as far as passwords and security of accounts are concerned. He identifies the password encryption algorithm that was used by Unix in its early year (Klein, 1990). The encryption was an M-209 simulation of the year that was also used by the U.S army.He claims that e encryption was a fair one except its vulnerability since a hacker could access all the passwords by comparing the encryptions with data from the password file. He also adds that the encryptions in Unix changed some years later as it started to use the DES algorithm. He identifies a few disadvantages with the DES algorithm inscription. He claims that the DES algorithm (DES1975) is difficult to decrypt and is sometimes slow. He claims that the problem of password encryption seemed solved for some time until a few setbacks brought it back. The setbacks include two recent developments and a recurring old development. They include internetworking, user password choice, and the use of DES algorithm. He adds that since all users can read entire password files, the chances of the passwords being cracked are very high. Klein acknowledges that though many sites have tried to respond to the problem of password security management through informing the users of which passwords can be cracked, they fail to realize that some outsiders can still crack the passwords too. He asserts that outsiders have several ways of cracking passwords even if the sites try to improve the password security of users (Klein, 1990). The outsiders have devices, sophisticated dictionaries that they use to crack people’s passwords. He claims that Sun Microsystems suggest making the encrypted file of the password unreadable to combat password cracking. The password file can be split into two, with one readable and another shadow password readable only by root. He proposes a proactive password checker as a way of dealing with password checkers. The proactive password checkers can enable free password change and also detect password strength. The checkers can inform the users in case their passwords are weak and can be cracked. He suggests that the checker can be put on a site basis with only the desired level of security with the other undesired levels considered illegal.
Klein then goes head to discuss password vulnerability. Under this topic, he identifies two simple steps in which a cracker can access any Unix machine. The first step is the acquisition of a given site's /etc./passwd file. The acquisition can be through tftp or ftp or vulnerable uucp link. The second step is the application of a standard password encryption algorithm standard version to a group of words (Klein, 1990). He explains that when a cracker follows the two steps and succeeds in finding a match, which is always the case, he/she gains access to the target. He acknowledges that many people are aware of this type of attack and the ways to counter them. He identifies an accounting to the vulnerability of the sites as the only lacking elements to counter password cracking. He cites that most people feel that there is a problem, but they do not know that they can also be victims.
Klein then discusses the survey and initial results regarding password security management. He confirms that he involved a few friends and relatives in a survey in December 1989. The survey involved the participants emailing him copies of their /etc./passwd files which he would use to try and crack their passwords. He assured them that he would send each person a report of the vulnerability of their systems without revealing their passwords to any person. He knew that the survey was sensitive, and that is the reason he was satisfied with the fewest number of respondents. He claims that he used intrusion strategies to test the account entries. He claims that he was able to access a database of 15000 account entries using the information he was given. He notes that the users had guessed approximately 25% passwords, and 2.7% of the passwords were cracked in the first fifteen minutes of testing. He claims that a system an approximation of fifty accounts has a high likely of its first account to be cracked in under two minutes. An average of five to twelve accounts is likely to be cracked in 24 hours. He then explains how safe passwords should look like (Klein, 1990). An example is a password with two-word pairs that have a punctuation mark between the words. Another example of a safe password he cites is on that is formed from easily remembered words that are not common.
Klein investigates how the attacks on the accounts happened and whether the accounts were vulnerable. The test involved grouping passwords with the same salt values together to help speed up the process. The grouping of the passwords helped to ease the test as the number of accounts was reduced to 4,000 salt values instead of the initial 15000 (Klein, 1990). The password tests involved trying to use the details of the user, for example, his/her initials, relevant information, and account name. Another process involved the use of words from the dictionaries. Another test involved the use of permutations on the words from the dictionaries. Apart from permutations of words from the dictionary, capital permutations were also tried. The use of foreign language was also tried for people who speak foreign languages. Lastly, the use of word pairs was also a method that was used in the attacks on accounts. Klein claims that he used four DECstation 3100’s that had the capability to check 750 words in a second.
Klein then summarizes the results of his findings on how and why the attacks happen. He claims that most people assume the idea that using common words as passwords increases an account’s chances of being hacked. Such people often end up with hacked accounts. According to him, words that exist in dictionaries are prone to hackings. He claims that the results from the survey were disheartening since it began with approximately 62727 words that constitute a dictionary. The survey ended with 25% of the accounts cracked. He then discusses the actions that should be taken depending on the results of the survey (Klein, 1990). He identifies a password checker as a possible solution to account cracking. However, the checking method was identified as having setbacks that include excessive time and resource consumption. He proposes another method of eliminating account hacking is advising users to change their passwords frequently. He also proposes the use of assigned passwords as a way of eliminating hacking. Another way of handling hacking is the use of smart cards. The cards have the ability to issue a challenge to gain access. Klein identifies the proactive password checker as the best way of eliminating password hacking.He states that before attending to one’s password, it is important to ensure that he/she eliminates easily guessed passwords. He claims that the password checker often requires a minimum of eight characters that do not exist in any dictionary. It also requires punctuation marks, control character and upper and lower cases (Klein, 1990). The password checker’s principles help to ensure maximum password security is achieved. He also supports the idea of making configuration files unreadable since the readable ones increase the chances of hacking. He claims that the password checker ensures maximum password security by informing the users with weak passwords why the passwords should not be in use.
In conclusion, Klein investigates the need to ensure maximum password security. He engages in a research whereby he invites his friends and relatives to a survey. He then analyzes the passwords they provide to him to confirm if he can hack them. He then investigates how the attacks on accounts usually happen and gives suggestions on how to avoid the attacks. Klein proposes the use of proactive password checker as he claims that it limits chances of getting hacked. The password checker has several guidelines on its functionality that may assist an individual in ensuring he/she has a strong password. Personal accounts contain very sensitive information about different aspects of life for many people. They need to be protected from threats such as hacking to ensure that information is not stolen. People should avoid formulating passwords using common names or events that every person can guess. Considering this, it becomes necessary to use proactive passwords while setting up these accounts. Proactive passwords should contain different letters of the alphabet, numbers, and symbols. The symbols and different numbers make it hard to guess the passwords; hence, hacking is not possible. Additionally, changing passwords often ensures makes it difficult for people to guess the password hence cracking them becomes difficult. Therefore, people should aim to change passwords on a regular basis and to incorporate the proactive passwords checker to ensure accounts are not easily hacked.
Reference
Klein, D. V. (1990). Foiling the cracker: A survey of, and improvements to, password security. In Proceedings of the 2nd USENIX Security Workshop (pp. 5-14).
