Password security has plagued systems administrators for many years. There exist publicly available password guessing applications that are able to crack passwords using brute force techniques with massive dictionary word lists. The most notable password guesser, Alec Muffett's Crack, is a simple, smart, and powerful application. It is common that Crack will guess a significant number of the passwords on a system where password requirements are not being enforced. The system administrator cannot rely on the user to choose strong non-guessable passwords. The only way to enforce certain password requirements is to do it at the time the user changes their password. Hence, the UNIX password program must be evaluated.
Before looking at the various password programs, the importance of the /etc/passwd file must be addressed along with the characteristics of passwords. The password is the most important aspect of securing a UNIX system. It is very easy for a cracker to enter a system using a guessed password and spoof their way to root via well-known operating system security holes. If the door can be slammed in the face of potential crackers with a robust password file, most of the easier avenues of attack have immediately been sealed.
Most UNIX systems support the use of shadow passwords. The common /etc/passwd file stores information about all the user accounts on the system. This information includes the encrypted password, uid, gid, home directory, shell, etc. The /etc/passwd file must be world readable so applications like ls are able to translate uids and gids. If shadow passwords are being used then the encrypted password field in the /etc/passwd file is "starred" out (i.e. replaced with a *). The encrypted password is then stored in the /etc/shadow file. This file is readable only by root eliminating the possibility of a user grabbing encrypted password strings and running Crack against them. Note there are only a few applications that use the encrypted password field. These applications include su, login, and xlock and must be setuid root.
The dictionaries used by Crack are huge and range from the normal to the bizarre (e.g. Star Trek words dictionary). Crack tests every word in these dictionaries for each mangling rule specified. These mangling rules are easily configurable and can tell Crack to test a word written backwards, punctuation at the end, punctuation at the beginning, replacing every t with a 3, capitalized, etc. It is possible to configure Crack to use as many mangling rules as wanted. Crack comes with many dictionaries totaling over a million words and approximately five hundred mangling rules. Even then, more dictionaries and mangling rules can be found on the Internet.
Because Crack can guess the simplest password, and can be configured to guess some stronger passwords, the user needs to choose a password that is not easily cracked. Passwords that are easier to guess are ones that can for example; be found in a dictionary, use some variant of the login name, contain all lower or upper case characters. A password should be at least six to eight characters long, and contain a mixture of lower case, upper case, numeric and special characters. The objective when choosing a password is to make it as obscure as possible, eliminating the possibility of the cracker to make educated guesses about the password. This leaves no alternative but a brute force search trying every possible combination of letters, numbers, and punctuation characters when trying to guess the password.
Not only are the contents of the password important but so is the length. After mentioning brute force techniques consider the following. The total number of permutations between six and eight character passwords, that contain exactly three non lower case characters, is so significant that it's worth making the user remember two extra characters. Difference: 17 billion (six characters) vs. 33 trillion (eight characters). A brute force search on an eight character password would take well over one thousand years to complete using a machine that could test approximately five thousand passwords per second.
Lastly, it is very important to force users to select a password that is completely different from the old. If a user's old password gets cracked, the cracker will most likely try to guess the new password using simple modifications to the old password. Users have a tendency to choose a new password that differs from the old by only a couple characters. Most password programs test to ensure that old and new passwords differ by at least three characters.
Most of the default password programs shipped with UNIX OSs are not able to protect the system from password crackers. They don't have the capabilities to allow the system administrator to enforce password construction requirements. Additionally, the interfaces (command line arguments) are different across platforms making it more difficult for the system administrator.
After examining the password programs for Solaris, IRIX, SunOS, and FreeBSD, it was determined that SunOS's was the strictest in enforcing password requirements. Unfortunately, they all allowed passwords that could be guessed using Crack's default configuration. They wouldn't allow an all lower case password and forced the use of at least one upper case, numeric, or special character, but this isn't enough. SunOS goes a step further and enforces that a password must have three of the following four character types: lower case, upper case, numeric, and special. Both Solaris and SunOS's required an eight character password but IRIX and FreeBSD's allowed a six character password. FreeBSD was the only OS that did not enforce a minimum number of different characters between the old and new passwords allowing the user to change their password without actually changing it.
There exist some public domain password programs that are a drop in replacement of the weaker default password programs. These public domain programs have been ported to a variety of UNIX variants. The two programs evaluated were Passwd+ and Npasswd.
Passwd+ written by Matt Bishop is fully configurable to allow the system administrator to enforce specific password requirements. Passwd+ uses a configuration file that is read at run time to specify the password requirements. This means that Passwd+'s configuration file must be protected as well as maintained. Unfortunately, it appears that Passwd+ is no longer supported as there haven't been any updates or modifications in the past few years.
Npasswd written by Clyde Hoover is yet another good password checker. Npasswd is unique in that it offers full support for NIS/NIS+. Like Passwd+, Npasswd uses a run time configuration file to specify password requirements. Another feature offered by Npasswd is a history database of old passwords. The system administrator can set the depth of this database to prevent a user from reusing an old password. Npasswd is fully supported and is currently being maintained by Clyde Hoover.
At first, the Security Team at the NAS (Numerical Aerospace Simulation) Facility attempted to modify each vendor's passwd application to enforce the facility's password requirements. Since most of the code is proprietary and hard to get, and the interfaces to each of these applications are mostly different, the administration was extremely difficult. Needless to say, the team gave up on the vendor's sources and analyzed both Passwd+ and Npasswd. Both of these public domain applications were attractive but did not fulfill the requirements at the NAS Facility. The NAS does not use NIS/NIS+ and the Security Team did not want to use or maintain a run time configuration file for the password application. For these reasons it was decided to create a new password application, Epasswd, that is able to meet the password construction requirements for all systems as well as minimize the administration.
Epasswd is different from Passwd+ and Npasswd in that configuration is done at compile time. Epasswd offers a unique configuration feature for enforcing certain characters to occur in the middle of the password. It is often that a user will choose a password that is a common word and insert a number or special character as the first or last character. Crack is able to guess these passwords easily. Epasswd is fully supported and currently being maintained with an effort to port it to as many UNIX variants as possible.
The Security Team at the NAS Facility has been using Epasswd for over a year. The team has continually run Crack for that time and Crack has been unable to guess any new passwords created using Epasswd. Epasswd has proven itself as a good replacement for the UNIX password application. Here is a simple overview of the configuration and use of Epasswd.
As already mentioned, Epasswd is configured at compile time so there is no run-time configuration file that must be maintained. Unfortunately, if the password requirements change, Epasswd must be recompiled with the new requirements and re-installed. To change the requirements while using Passwd+ or Npasswd, simply update the necessary configuration file. Epasswd offers the following options for specifying how passwords should be constructed (see Table 1):
Epasswd offers all the normal operation expected from a password program and more. Note that Epasswd has full native support for the underlying OS's password implementation (e.g. password aging & shadow passwords). No modifications or additions are made to the underlying implementation so there is no need to modify and re-compile other applications that depend on the underlying implementation.
Password aging is a feature that allows the system administrator to specify the age characteristics of a password. There are three characteristics that can be specified. First is the maximum age: This specifies the number of days that the password is valid before it must be changed. Second is the minimum age: The minimum age specifies the number of days that must pass between password changes. This is used to prevent a user that is being forced to change their password from changing their password and then quickly changing it back to the original. Lastly is the warn time: The warn time specifies the number of days before a password must be changed to warn the user. The warning occurs when the user logs in.
Using Epasswd, the following command is used to set for user edavis, the password's maximum age to one year, the minimum age to one week, and the warn time to 3 days:
# passwd -x 365 -n 7 -w 3 edavis
To turn off password aging completely, simply specify -1 as the maximum age:
# passwd -x -1 edavis
The system administrator is also capable of both forcing a user to change their password immediately and locking a password to prevents future logins. To force a password change, simply specify 0 as the maximum age:
# passwd -x 0 edavis
Now the user edavis will be forced to change his password the next time he logs into the system. The system administrator also has the ability to lock a user's password. When locking a password, the encrypted password field in the /etc/passwd file is replaced with the string *LK*. Other password programs vary in the string used to lock an account. This is done using the following command:
# passwd -l edavis
When shadow passwords are being used, some OSs offer extra features. On both Solaris and IRIX systems, it is possible to expire accounts. Epasswd takes advantage of this feature to allow the system administrator to expire an account immediately or set the date when an account expires. For setting a date when an account expires, the date must be specified as the number days since January 1, 1970. Fortunately, Epasswd has an option specifying the current date in the number of days since January 1, 1970 to help determine an expiration date:
# date Sat May 2 16:39:17 PDT 1998 # passwd -v Epasswd version: v1.1 uname: IRIX shark 6.3 12161207 IP32 Shadow passwords are currently being used. It has been 10348 days (1478 weeks) since January 1, 1970.
Here is how to set an account to expire on April 8, 1999:
# passwd -e 10690 edavis
Epasswd also lets the system administrator expire an account immediately:
# passwd -E edavis
Additionally, the system administrator can set the number of days of inactivity allowed for an account before expiring it. This eliminates the hassle of old unused accounts lingering on the system. Use the following command to set one month as the allowed period of inactivity:
# passwd -i 30 edavis
Epasswd offers some extra features that are not found in any other password program distributions. The first is a command line argument that is used to swap in an already encrypted password. Using this allows the administrator to easily distribute a user's password across multiple systems on which the user has an account. Now there is no need to cut and paste an encrypted password string while editing the password file. Second, is the utility Genpasswd. Genpasswd is a simple program that generates random passwords. It features a full set of command line options to specify how the password should be constructed. The options are very similar to Epasswd's compile time options listed above. Genpasswd is excellent when assigning an initial password to new user account. The following command generates a password that is eight characters long, contains one upper case character, two numeric characters, and one special character in the middle:
# genpasswd -l 8 -u 1 -n 2 -s 1 -S 2!8rpIer
The information presented here should not be overlooked. Take the time to run Crack on your systems and see how many insecure passwords exist. It is the system administrator's responsibility to protect their systems by ensuring that passwords are secure. Eliminating all insecure passwords and turning on shadow passwords will help prevent break-ins. Check the documentation for your system's password application to ensure that simple passwords are not allowed. If they are, the public domain password applications to choose from (Passwd+, Npasswd, and Epasswd) have all proven to create strong hard to crack passwords.
| Epasswd Configuration | Invalid Passwords | Valid Passwords |
|
Minimum Length = 6 Maximum Length = 8 Minimum lower case = 1 Minimum upper case = 1 Minimum numeric = 1 Minimum special = 1 Minimum tests pass = 3 Upper case middle = false Numeric middle = true Special middle = true |
Rabbit r2bbit tibbaR RABBIT! Rabbit. rabbit5 RABB1T r2bb1t TIBBAR ?rabbit |
Rab*bit Rabb1T rabb*T raB%Bit Rabb!t RAB1$BIT tiB-Bar rab-b1t! ra"BB"it R+bb+t |
Crack - http://www.users.dircon.co.uk/~crypto/
Epasswd - http://www.nas.nasa.gov/~edavis/epasswd/
Npasswd - http://www.uts.cc.texas.edu/~clyde/npasswd/
Passwd+ - ftp://ftp.dartmouth.edu/put/security/
UNIX System Security by David A. Curry. Addison-Wesley Publishing Company.
UNIX System Administration Handbook by Nemeth, Snyder, Seebass, and Hein. Prentice Hall PTR.
Combinatorics by William Smoke. University of California Irvine.