password aging (from worm discussion)


Chris Torek (chris@gyre.umd.edu)
Mon, 7 Nov 88 02:15:13 EST


Be *very* careful how you implement password aging. If it is done
improperly, it weakens security instead of strengthening it. For
instance, if the system demands that you replace your password once
every two weeks, and demands that you replace it immediately upon
logging in, users are likely to use `easy' passwords and/or write them
down, since they must remember them only for a short while and since
they have little time to think of a new one.

At any rate, we intend to implement shadow password files here (at U of
MD CSD) if Berkeley does not get to it first. The way the worm breaks
Unix passwords is by efficiently implementing the Unix `salted' DES
encryption (possibly the worm's author simply used Bob Baldwin's code),
and doing forward encryption on each of the passwords from its
dictionary lists for each account. If the encrypted passwords are not
readable except from privileged accounts, this method is not available;
the program must instead go through standard accessways such as the
`login' program, which were long ago instrumented to be able to log
apparent breakin attempts. (Of course, all of this assumes that one is
unable to exploit some existing bug that gives privileged access. It
also assumes that your Unix vendor has at least kept up with Berkeley's
security improvements since 4.2BSD.)

We already enforce `hard to guess' passwords---dictionary checking is
in 4.3BSD-tahoe, and we had been using similar checking earlier---and,
by some stroke of luck, we had modified the finger daemon, and had a
piggish sendmail: the worm gave it a mere 20 seconds to establish
connections, and we no doubt timed out. At any rate, the worm never
got established on any UMD CSD machine (though other departments were
affected); but the potential was there, and that is rather
frightening. The possibility of an efficient brute-force attack on
other user's accounts, given an unprivileged account (as the finger bug
did), is much more so. Shadow password files suddenly look quite
attractive. . . .

Chris



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT