Robichaux on Security - February 2000

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
On This Page

Passwords=bad
Two factors are better than one

Passwords=bad

I'm going to let you in on a secret that's little discussed outside the security world: reusable passwords are evil. This might seem like an extreme position, but I can back it up. Think about these three drawbacks and then consider whether you still disagree:

  1. Since reusable passwords are designed to be reused, they have to remain valid for some period of time. This means that they're vulnerable to being cracked or stolen for their entire validity period, which is often longer than it should be anyway.

  2. Password strength policies put administrators in an untenable position: if you don't use a good strength policy, your users will pick passwords that are easy for tools like l0phtcrack http://www.l0pht.com/ to crack. If you do pick a strong policy, users will complain that their passwords are too hard to remember, and they'll write them on little yellow sticky notes on their monitor bezels.

  3. The proliferation of passwords for services like Hotmail http://www.hotmail.com/ and eBay http://www.ebay.com/ (not to mention actual work-related network resources on your intranet or extranet) means that users have to choose between recycling the same password in multiple places (leading to potential compromises) or trying to remember a myriad of different passwords (leading to failed logons and extreme aggravation).

I'm not much into tilting at windmills, and I realize that in many networks (and circumstances) we're stuck with reusable passwords. However, there are a number of better solutions, and since Windows 2000 implements these (and since it's going to be out in a few days after I write this), you should know what those solutions are and how you can take advantage of them.

Two factors are better than one

There's an old chestnut about authentication: it's based on something you have, something you know, or something you are. When you think about password-based systems, it's easy to realize they depend on one thing: the password itself. Anyone who knows, guesses, or steals your password can impersonate you. Authentication systems that depend on one item are called one-factor systems, and they're inferior (duh!) to two-factor systems. For example, your ATM card uses a simplistic form of two-factor authentication, because you must have the card (something you have) and know the PIN (something you know) to use it.

Building the perfect beast

If reusable passwords are bad, then what could be better? Ideally, we'd like some kind of credential that's hard to forge, hard to steal, easy to recognize, and easy to use. Of course, we want a solution that solves all three problems listed above. Naturally, it would be nice if the solution was either free or very inexpensive, since most admins would rather spend money on other things than security software. Let's examine some of the current solutions and see how they stack up against these daunting requirements:

  • One-time password systems require you to use a new password each time you log on. By using a predefined algorithm, combined with a secret known only to you and the server, you can run a calculator-like program that generates the next password each time you log on. S/Key http://madhaus.cns.utoronto.ca/links/ftp/pub/Skey/ is probably the best-known example of a one-time password system. One-time password systems are quite difficult to use, which is why they are not widely used. In practice, smart cards are a more secure solution, and have other uses as well.

  • Smartcards are credit-card sized computers that can handle specialized cryptographic processing and store a limited amount (usually less than 64Kb) of data. They provide two-factor authentication by using a PIN in combination with the physical card, and they provide particularly nice functionality since they can store public key certificates http://www.microsoft.com/technet/archive/windows2000serv/evaluate/featfunc/pkiintro.mspx and use them for logon and access control. American Express' recent "Blue" http://home4.americanexpress.com/blue/splash.asp?38/86/b/1 card is actually a smartcard.

  • Token-based systems like RSA Security's http://www.rsasecurity.com/ SecurID http://www.rsasecurity.com/ system combine a physical token (either a custom token, a smartcard, or a Palm Pilot) with a one-time password. Token-based systems are supported in Windows 2000. To log on using a SecurID token, you put in a user name and the logon server gives you a challenge, which you punch into the token. The token then calculates a time-based password (using the challenge as input), which you pass back to the server. Token systems have the advantage of being secure and providing two-factor authentication, but they can be expensive.

  • Biometric systems use a hard-to-fake biological feature (like the geometry of your right hand, the pattern of blood vessels in your retina, or the appearance of the iris of your eye) as the authentication factor. Sometimes these systems are coupled with a PIN; other times, not. A number of vendors sell inexpensive parallel, serial, or USB devices that read fingerprints, retinal patterns, and the like. As of right now, though, most of these devices are used for physical access control (e.g. who can go through a particular door), not for logon control.

So what?

Token systems are secure enough to be used in environments like the White House and some impressively large companies. However, they're expensive to acquire and maintain, and most of these solutions require some upheaval on your network, including installation of special logon servers. If money is no object, this would be my pick hands-down.

I also happen to like biometric identification, since it's hard to leave your iris in your other pair of pants (like I recently did with a smartcard). As an added plus, biometrics have that whole James Bond vibe. It can be an expensive solution, since biometric authenticators cost between $50 and $250 each, but the cost is rapidly coming down and the quality of the authenticators is constantly improving.. Not to mention the fact that a fingerprint or iris pattern is in essence a very long password that can't be hidden or changed.. Not to mention the fact that a fingerprint or iris pattern is in essence a very long password that can't be hidden or changed.

For practical use, though, smartcards are hard to beat. They're fairly inexpensive; they offer strong security thanks to their onboard cryptographic processors, and– because they can store public key certificates and their associated private keys– they give you a portable way to tote your digital credentials with you wherever you go. Windows 2000 supports smartcards http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/smtcard.mspx for logon along with other uses, so you can log on to a machine just by popping in your card and typing in a PIN. Smartcards can do a lot more ,though; next month's column will be dedicated to a more thorough exploration of how smartcards work and how you can make them work for you in Windows 2000.

Paul Robichaux is the principal of Robichaux & Assoiates, Inc, which provides programming, technical communications, and security services to customers ranging in size from local auto dealerships to Microsoft. He's glad to have his latest book (Managing Microsoft Exchange Serverhttp://www.robichaux.net from O'Reilly & Associates) on the shelves so he can spend more time with his family. He welcomes reader questions at security@robichaux.net.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.