<HTML><HEAD><TITLE>Chapter  18 -- How Passwords and Authentication Systems Work</TITLE><META></HEAD><BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#0000EE" VLINK="#551A8B" ALINK="#CE2910"><H1><FONT SIZE=6 COLOR=#FF0000>Chapter&nbsp;18</FONT></H1><H1><FONT SIZE=6 COLOR=#FF0000>How Passwords and AuthenticationSystems Work</FONT></H1><HR><P><CENTER><B><FONT SIZE=5><A NAME="CONTENTS">CONTENTS</A></FONT></B></CENTER><UL><LI><A HREF="#HowPasswordsWork">How Passwords Work</A><UL><LI><A HREF="#PasswordAuthenticationProtocol">Password Authentication Protocol</A><LI><A HREF="#ChallengeHandshakeAuthenticationProtocol">Challenge Handshake Authentication Protocol</A></UL><LI><A HREF="#HowAdditionalAuthenticationSystemsWork">How Additional Authentication Systems Work</A></UL><HR><P>What's the most effective way to gain unauthorized access to anintranet? If you guessed high-tech wizardry, programming beyondthe mere ken of mortals, or some kind of mastery of and insightinto the innermost workings of TCP/IP, you would be wrong. Mostattacks occur because an unauthorized person has managed to discoveran authorized person's user name and password. One cumbersomeway to address this problem is to require that users log in througha firewall with one password, and then require additional, differentpasswords to access various resources. However, making it hardfor users to use passwords is counterproductive and leads to increasedvulnerability. The passwords of systems administrators or superusersrequire special care, since if these passwords were compromised,the intruder would have full access to an intranet and all itscorporate riches.<P>New servers often come with standard default passwords. However,it is really the fault of the systems administrators who failto change the defaults. Similarly, care must be taken when, dueto necessary technical work being done, technicians require rootaccess or load custom utilities. Sometimes the default passwordsare changed, and you think you are safe, but at some point duringa disaster recovery process old users and/or passwords are loadedback in place.<P>Passwords can be discovered through brute force. Programs canbe written (or bought) that generate thousands of passwords. Thisis often referred to as a &quot;dictionary&quot; password checkerprogram. Administrators can purchase such programs to help findweak passwords, and can customize them to include additional terms.Brute force is more effective when passwords are short, so systemsadministrators may require certain minimum lengths for passwordsand password phrases.<P>Unauthorized access is an internal as well as external threat.No one would intentionally allow all internal users access totheir company's financial system, such as a check-writing program,even though as employees they would be authorized users for otherparts of the intranet. Secure passwords are probably more criticalfor protection from internal threats than external threats. Insidersalready have access to the names of fellow employees, their departments,and would know the conventions of the user name format. <P>In an effort to use passwords they can remember, people createpasswords that can be fairly easily guessed. Many people, forexample, use passwords made up of some combination of their firstand last names or their initials. Other popular passwords includethe names of children, birth dates or anniversary dates, licensenumbers of cars, and other familiar things. Again, internal threatsare the greater risk because of insider familiarity with colleagues'habits and physical access to cubicles (where the poster of thecobra is so prominently displayed).<P>Social engineering is another technique that can easily breakthe security of passwords. A remote access caller who contactsthe help desk late at night with a tale of woe about &quot;a bigreport due the next morning and I can't get in under my usualpassword, and so please just change it to something to get mein for this emergency&quot; is using social engineering to crackthe security of the password system. People don't want to mistrusttheir colleagues and are reluctant to sound paranoid or foolishby refusing access to co-workers. Workers also often need to provideothers with access to something that would normally be off-limits,while workers are on vacation, for example. In such cases intrudersdon't have to guess passwords, they are told the passwords. Thereal problems from this can come later, when authorized usersfail to change their password upon returning from vacation orwhen, unknown to them, a third party has been told the passwordfor some purpose while they were gone.<P>Most systems require that passwords be changed periodically sothat even if passwords are discovered or given out, there is onlya limited window of vulnerability. People, of course, might (andoften do) try to circumvent this by changing their password andthen changing it right back again. However, this can be preventedby systems requiring that when users change their passwords theymust choose a password that they have not used before. <P>The logical extension of this &quot;never before used&quot; passwordrequirement is the single-use password. There are several methodsof generating these passwords, including software and hardwaremethods. The software method still requires a truly secret passwordbut it is used to generate a number of one-time variations thatare used without encryption. The software method is still fundamentallya &quot;something you know&quot; type of protection. Hardwaresolutions add a &quot;something you have&quot; component, a physicaldevice that generates single use passwords. Smart cards are ahardware solution. They are credit card-sized devices that workwith special readers to respond to authorization requests. <P>Authentication systems work with password systems to make surethe users are who they say they are. Depending on the kind ofpassword system used in authentication systems, the password filescontaining the master list of all passwords on an intranet canbe plain text or encrypted.<P>In one system called the Password Authentication Protocol (PAP),the password file is encrypted. When someone logs onto the intranet,a server asks them for their user name and password. The user'sresponse is not encrypted at the workstation and so goes overthe wire in clear text. When the server receives the passwordfrom the user, it encrypts it using the same encryption schemethat was used to encrypt the password in the password file. Theserver then compares the two encrypted passwords. If they match,it knows to let the person in.<P>While the password file itself is particularly secure since it'sencrypted, the PAP system is vulnerable in another way. Sincethe password isn't encrypted until the server encrypts it, thismethod is vulnerable to packet sniffing attacks. Packet sniffingis a form of eavesdropping on the traffic over the wire. Sincethe passwords travel in clear text, someone capturing trafficcould steal all passwords transmitted across the intranet. Evenencrypted passwords traveling the wire are vulnerable to eavesdroppingwhen they are captured and replayed, convincing the server thatthey are authorized users. This is another reason why single-usepasswords provide more security.<P>The Challenge Handshake Authentication Protocol (CHAP), <I>a challenge-response</I>system, does not completely eliminate sending clear text over