Passwords
From Peyton Hall Documentation
Passwords are a form of authentication. They are something which you know - and in theory nobody else knows - that a computer can ask you to provide to prove you are who you say you are. They are usually fairly short (6-15 characters), not to be confused with a passphrase which can be long and obnoxious (and much more secure). Although SSH logins (except for logins to minos) no longer allow the use of passwords (see here, passwords are still common for email and other services.
Contents |
Why are passwords so important?
Passwords are the first line of defence against interactive attacks on your system. It can be stated simply: if a cracker cannot interact with your system(s), and he has no access to read or write the information contained in the password file, then he has almost no avenues of attack left open to break your system.
This is also why, if a cracker can at least read your password file (and if you are on a vanilla Unix, you should assume this) it is so important that he is not able to break any of the passwords contained therein. If he can, then it is also fair to assume that he can
- log on to your system and can then
- break into "root" via an operating system hole.
Generating passwords
There is no way to generate safe passwords. The key word here is generate. Once an algorithm for creating passwords is specified using upon some systematic method, it merely becomes a matter of analyzing your algorithm in order to find every password on your system.
Unless the algorithm is very subtle, it will probably suffer from a very low period (ie: it will soon start to repeat itself) so that either:
- a cracker can try out every possible output of the password generator on every user of the system, or
- the cracker can analyze the output of the password program, determine the algorithm being used, and apply the algorithm to other users to determine their passwords.
The only way to get a reasonable amount of variety in your passwords is to make them up. Work out some flexible method of your own which is NOT based upon:
- modifying any part of your name or name+initials
- modifying a dictionary word
- acronyms
- any systematic, well-adhered-to algorithm whatsoever
For instance, NEVER use passwords like:
- alec7 - it's based on the users name (& it's too short anyway)
- tteffum - based on the users name again
- gillian - girlfiends name (in a dictionary)
- naillig - ditto, backwards
- PORSCHE911 - it's in a dictionary
- 12345678 - it's in a dictionary (& people can watch you type it easily)
- qwertyui - ...ditto...
- abcxyz - ...ditto...
- 0ooooooo - ...ditto...
- Computer - just because it's capitalized doesn't make it safe
- wombat6 - ditto for appending some random character
- 6wombat - ditto for prepending some random character
- merde3 - even for French words...
- mr.spock - it's in a sci-fi dictionary
- zeolite - it's in a geological dictionary
- ze0lite - corrupted version of a word in a geological dictionary
- ze0l1te - ...ditto...
- Z30L1T3 - Trust me, the people who try to crack systems think they invented typing like this.
I hope that these examples emphasize that ANY password derived from ANY dictionary word (or personal information), modified in ANY way, constitutes a potentially guessable password.
How many possible passwords are there?
Most people ask this at one time or another, worried that programs like Crack will eventually grow in power until they can do a completely exhaustive search of all possible passwords, to break into an account.
If (to simplify the maths) we make the assumptions that:
- Valid passwords are created from a set of 62 chars [A-Za-z0-9]
- Valid passwords are to be between 5 and 8 chars long
Then the size of the set of all valid passwords is: (in base 62)
100000 + 1000000 + 10000000 + 100000000 = --------- 111100000 (base 62)
A figure which is far too large to usefully undertake an exhaustive search with current technologies. Don't forget, however, that passwords CAN be made up with even more characters then this; you can use all the punctuation characters, and symbols (~<>|\#$%^&*) too. If you can use some of all the 95 non-control characters in passwords, this increases the search space for a cracker to cover even further.
However, it's still MUCH more efficient for a cracker to get a copy of "Crack", break into ANY account on the system (you only need one), log onto the machine, and spoof his way up to root privileges via operating systems holes.
How do I change my password?
You can use the command 'passwd' to change your password on the network, which will affect your login for all machines as well as email. Changing your password will look like so:
coma:~$ passwd Changing password for user [username]. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for user [username] passwd: all authentication tokens updated successfully.
Mac OS X Users
It's important to note that if you're using a Peyton-administered Mac desktop, that when you change your LDAP password, it doesn't update your Keychain password. This means if you have passwords (such as in Safari and Mail.app) saved, they will require your *old* password to be accessed. To bring the Keychain password into sync, do the following:
- Open Applications -> Utilities -> Keychain Access
- Under Keychains on the left-hand side single-click "login"
- Go to the Edit Menu and select Change Password for Keychain "login"
- You will be prompted for your current (old) password, and then will be prompted for a new password. It is recommended that you make this the same as your login password. This will unlock the Keychain at login (the default behavior for OSX). It's also recommended because if you forget your Keychain password, the data on your Keychain is unrecoverable.
Password warnings
Our authentication system will require that you change your password every so often (not so often that it gets annoying, but often enough that it also ensures that accounts that are "active" are really being used). When you go to login to a machine, you may see a message such as:
Warning: Your password will expire in 7 days. Your LDAP password will expire in 7 days.
These messages mean that you MUST change your password before the number reaches zero. On that time, you will no longer be able to login. Some machines will allow you to change your password on the spot, however you should not rely on that behavior and instead should change the password as soon as possible.
Since not everyone logs in all the time, we've also setup a mail warning system. Around 30 days before your password will expire, you will receive an email letting you know that you need to login to change it. Since similar emails have floated around recently which are actually spam or viruses, the text of the email that we send is included here (either way, we don't ask you to go to a website or email someone your password, but instead to login and change it - that can't be spoofed by a phisher, virus or spammer). If you see the following email, don't just throw it away! Instead, login and change your password before it expires, causing you to be unable to access your account.
From: Automated Password Expiration System <help@astro>
To: ${U}@astro
Date: `date`
Subject: Password expiration reminder
--- This is an automated message ---
Your password will expire in 30 days. This is a routine occasion where you
should change your password so that your account remains secure. Even if
you've chosen a very secure password, there are ways that it could be
compromised, and by changing it every so often you reduce the risk of someone
gaining access to your account, your files, and the network systems in general
- once someone breaks into your account, it's usually trivial to gain root
access and do serious damage to things which requires a long downtime to fix
and many lost hours of productivity!
If you don't change your password now, then in a few days you'll start to see
messages that look like the following when you login:
Warning: your password will expire in 7 days
Your LDAP password will expire in 7 days.
The number will decrement until it hits zero, however you MUST change your
password before then! If you do not, then your account will be locked out,
and you will have to request a password change from the systems administrators
which could take some time before your request is received and processed. To
save time, you can change your password yourself with the 'passwd' command
from any of the Linux machines, which will look like this:
coma:~$ passwd
Changing password for user ${U}.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for ${U}
passwd: all authentication tokens updated successfully.
Please do this as soon as possible! If you have trouble, you can reply to
this message to generate a trouble ticket, explain the problem you're having
(please include any error messages, and which machine(s) you used to try to
change your password) and someone will get back to you to.
Thanks!
Please note that in addition to checking the text of the message above, you can check the validity of it using GPG to look at the message's digital signature. Information about the GPG key used to sign these messages is here: Authenticating emails
When does my password expire?
If you'd like to see when your password expires, you can run "passexpire" from departmental Linux and Mac computers and get helpful output like:
Joe User's password shall expire Sunday, the 31st of December, 2006
If that date is soon, please change your password using the above instructions.
What if my password expires?
If you ignore the warning to change your password, then it will expire in due time on its own. From then on, you will not be able to login and check email, and some of the hosts in the building will reject your login because your password needs to be changed and they cannot do it. However, newer hosts will present you with a dialog to change your password right away, so you can still login even though your password has expired. Any host running Fedora Core 3 or newer (such as cygnus, armstrong, minos) will let you login and change your password immediately.
