Project Aim:

Passwords management is an important aspect of computer security, it’s the front line of protection for user terminals and it is by far the most common user authentication method within the largest multinational organizations. A poorly chosen password will increase the probability for an information system to be compromised. As such, all organization employees are responsible for taking the appropriate steps, to select good password security policies. Does that happen in reality? No, that’s why software password generators are activated to handle password management problems and enforce password management policies requested from the organization in order to comply with national standards, and undertake problems of selecting strong passwords. So the aim of this project is to analyze and test a standard password generator system and propose a technique for helping people to remember strong passwords easily.

Project Objectives:

According to the above facts the objectives that must be undertaken and strongly research in this Bachelor project report are the following:

Ø Identify the importance of passwords as it concerns the advantages and disadvantages in their daily use in home and corporate environments.

Ø Identify the weaknesses raised from these poorly chosen passwords and describe the modern attacking techniques against these passwords. Besides propose possible countermeasures to address and eliminate these attacks.

Ø Examine the characteristics of an effective password policy which can be applied in a corporate environment in order to establish and manage the appropriate defenses to eliminate the dangerous posed by insecure passwords systems.

Ø Conduct a critical analysis of different techniques used to facilitate users to remember strong passwords easily.

Ø Propose a mnemonic system which is based on users’ favorite passphrases.

Ø Analyze the operating principles of the Password Mnemonic System (PA.ME.SYS) and the processes that it enforces in order to produce “safe passwords”.

Ø Test this password generator system (PA.ME.SYS) for the strength of all passwords it generates.

In order to achieve the above purposes of this project a series of logical steps were taken:

In order to achieve the first and second objective of this project, a survey was conducted in the Internet, in books and in the Web application design 1 and Web application design 2 lecture notes. This survey was concerned with the importance of passwords in an organization’s security framework, the reasons they are widely used in today’s businesses and the catastrophic consequences posed by the exposure of insecure passwords to unauthorized people. Another survey in books and in the Internet was necessary to identify the weaknesses raised from these poorly chosen passwords, the attacks which are forced by modern attackers to gain unauthorized access to users passwords and the possible defense mechanisms used to address and eliminate such attacks.

For the third objective of this report, a survey was conducted in the Internet and in books. The aim of this survey was to find and understand different password policies which can be applied in an organization’s global security policy to establish and manage the defenses used to eliminate the dangerous posed by insecure passwords. A university password policy analyzed for the rules they apply in order to define the secure creation and storage of strong passwords. In addition the relationship between the users and the password policies was examined together with the risks that businesses face due to the implementation of inadequate password policies.

For the fourth objective, which defines the added value of this project report, it was important to conduct a search on the Internet for different techniques used to help users to remember strong passwords easily. These techniques were analyzed for their operation and the disadvantages they have.

For fifth objective, it was important to propose a mnemonic system which is based on users’ favorite passphrases. The proposal of this mnemonic system was based on the research we made of different mnemonic techniques described on the previous chapter.

For the sixth and seventh objective which also defines the added value of this project report it was to analyze and test the proposed Password Mnemonic System (PA.ME.SYS). After the end of the survey a mnemonic system based on users’ favorite passphrases was developed and implemented. For the development analysis and design data flow diagrams were used to clearly show the processes and data that make up the system. For the implementation and testing visual basic language was used which shows in a graphical environment how this mnemonic system works

1. Introduction to Authentication and “Something you know”

1.1 Identification and Authentication Techniques

Controlling access to system resources is an important aspect of computer security. Access control is about managing which users can access which files or services in an organization’s computer system. All entities involved with receiving, accessing, altering or storing information in a computer system, are separated to active and passive ones. The term “active entities” is used to describe all subjects (users, processes, threads) that are accessing, receiving or altering information in a system. The term “passive entities” is used to describe all objects (files, database) that actually hold or store information accessed by subjects. Without having access control mechanisms it is not possible to protect the confidentiality, integrity and availability (CIA triad) of system resources. 

Access control is used to force users to provide a valid username and password to gain access to a system resource. The two vital components of access control are the identification and authentication processes.

In the identification process the user is obligated to present an identity to a computer system. The information provided by the user trying to log on could be a username or by simply placing his/her hand/face to a scanning device. This action triggers the start of the authentication, authorization and accountability processes.  

Today, authentication processes are usually classified according to the distinguishing characteristic they use. These characteristics are classified in terms of the three factors described in the following section. Each factor relies on a different kind of distinguishing characteristic used each time to authenticate people in a system.

1.2 Authentication Factors

In a typical system, there are basically three ways for human users to authenticate themselves to a client such as a computer, a mobile phone, a network, or an ATM machine. These three authentication factors are the following.

Ø Anything you know: a password

The distinguishing characteristic is private information that only authorized people know. In modern computer systems, this characteristic might be a password, a Personal Identification Number (PIN), lock combination or a pass phrase. It is the least cost effective factor and most popular method that can be employed easily in any modern system to authenticate authorized users within the organization. They are simpler and cheaper than other, secure forms of authentication but also because they do not require to spend large amounts of money for the implementation of them in comparison with other more modern security mechanisms.

Additionally, Users don’t have to spend time and effort learning how to use them. The passwords are the only user-friendly way to identify a user in a network or computer system and it is believed that they can provide the same level of strong security as a more modern security mechanism. However the usage of passwords as an authentication technique presents some disadvantages that are directly connected to the way that users are managing these passwords. In more specific the users On the other hand, there are also some disadvantages that need to be taken into consideration such as the need to create "complex and strong" passwords,, the obligation to change their passwords frequently and the instructions and guidelines on how to keep their passwords secret.

Ø Anything you have: a token

The distinguishing characteristic is that authorized people own and present a specific item to be authenticated. This characteristic is enclosed in a token device such as a magnetic card, smart card, a memory card or a password calculator.

Ø Anything you are: a biometric

The distinguishing characteristic is some physiological feature (static) that is always present in a person, or a certain behavior pattern (dynamic) that is unique to the person being authenticated, and is measured and recorded once in the enrollment process. When the same person requires access entry the biometric identifier compares the current characteristic provided by the user with the previously collected pattern from the original authentic person. This characteristic could be a voice print, fingerprints, face shape, written signature, iris/retina pattern or hand geometry. 

2. Attacks on Passwords

2.1 Introduction

Passwords are a very important aspect of computer security. They are the front line of protection for user terminals and it is by far the most common user authentication method within the largest multinational organizations

However the usage of passwords as an authentication technique increases the probability for an information system to be compromised. That happens because these passwords are directly connected to the way that users are creating, remembering, storing and distributing them. In fact passwords are the weakest element inside the security chain of an organization’s network system and are susceptible to different types of attacks. The next section presents the weaknesses on users’ passwords and modern attack techniques performed by malicious attackers to gain unauthorized access.

2.2 Attacks on Passwords

Easily Guessed Passwords:

The first weakness lies in the composition of the password itself. Most attackers rely on the fact that most people do a bad job in creating passwords and keeping them secret. Most passwords that people select depend on the following:

  1. Favorite football player and actor names,
  2. Simple strings, such as passwords consisting of the same character (e.g. 11111).
  3. Job titles and nicknames.
  4. Important numbers, such as insurance numbers, home addresses, telephones, credit card numbers, driver license, birthdays, or vehicle tags.
  5. Favorite words found in dictionaries.
  6. Children, family or relative names.

The most common attack on passwords is that where malicious hackers exploit human nature and try to guesswhat passwords people select. In this case, hackers build a list with all information related to the victim and make attempts to log on hoping to find out the victim’s password quickly.  

Brute-force Attacks:

In cryptography, a brute force attack or exhaustive key search is the strategy that can in theory be used against any encrypted data by an attacker who is unable to take advantage of any weakness in an encryption system that would otherwise make his task easier. It involves systematically checking all possible keys until the correct key is found. in the worst case, this would involve traversing the entire search space.

The key length used in the encryption determines the practical feasibility performing a brute force attack, with longer keys exponentially more difficult to crack than shorter ones.

Brute force attack can be made less effective by obfuscating the data to be encoded, something that makets it more difficult for an attacker to recognize when he has cracked the code.one of the measures of the strenth of an encryption system is how long it would theoretically taken an attacker to mount a successful brute force attack against it.

Consequence of this attack is that all users cannot use the network recourses and must wait until system administrator reserts or unlock that account. It is obvious that this kind of attack causes confusion and big delays to user’s critical job tasks.

Dictionary Attacks:

In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.

(Shape1.1).

Shape1.1 Dictionary attack

A dictionary attack uses a targeted technique of successively trying all the words in an exhaustive list called a dictionary. In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack) or a bible etc. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), single words found in dictionaries or simple, easily-predicted variations on words, such as appending a digit.

Social Engineering Attacks:

Another weakness lies on the fact that people are not capable to remember and keep their passwords secret. In computer security social engineering is described as a non technical intrusion that is based on the psychological characteristics of the human nature. It is the art of persuading people to reveal vital secrets or to perform actions that comply with the hacker’s wishes {Shape 1.2}. Social engineering can be conducted into several forms.

  1. Reverse Engineering: In this method, a legitimate user is induced into asking an attacker questions to obtain information. The attacker poses as a person of higher authority and tries to deduce the needed information from the questions, which are asked by the user.
  2. E-m@il: This mode of social engineering involves sending an e-mail to a user asking confidential information. The e-mail is meant to trigger an emotional response from the user. It makes the user unwittingly participate in the hacking by disclosing the confidential information.
  3. Webpage’s: False Webpage’s, that require users to enter e-mail addresses and passwords, are created by attackers. Hackers hope that users will enter the same passwords at the false websites, as they use at their organization’s computer systems.
  4. Shoulder surfing: In this type of attack a malicious attacker could look over a user’s shoulder and watch him while he is typing his/her password to grant access to a system. However shoulder surfing attacks are not always successful but can give important information and strength to a malicious attacker to achieve his goal.
  5. Dumpster diving: One of the most intelligent techniques to retrieve users’ passwords within large commercial organizations is the dumpster diving attack. In this type of attack malicious attackers search through discarded material to find passwords, credit card numbers, confidential records or other useful information related to security policies and passwords.

Sniffing Attacks:

Except brute-force guessing, dictionary and social engineering attacks today’s hackers are using more clever programs and methods to retrieve users’ passwords. These methods include software sniffer programs which are used to capture and sniff passwords either a) when they are typed during the authentication phase of a network login session (Trojan Login, Van Eck Sniffing, Keystroke sniffing, hardware key loggers) or b) when they are transmitted across complex networks via email and other document delivery systems (network sniffers). {Shape 1.1}.

Shape 1.1 Sniffing Attacks

The next paragraphs describe in more detail each of these techniques used to sniff user’s passwords:

Ø 1.Network Sniffing:

Net sniffer is a program, who capable of capturing all traffic made available to one or more network adapters.

Ø 2. Trojan Login:

A Trojan Login sniffer program is a software tool used to capture users’ passwords during the authentication phase of a network login session. A malicious user who has access to a personal computer connected to a network can easily install a Trojan Login program. The strength of this malicious program is that it has the ability to display perfectly imitations of the operating system’s standard login program. As a consequence the user enters his/her username and password without any knowledge of the situation, while the Trojan login program saves this authentication information in a secret file.

Ø 3. Van Eck Sniffing:

These signals, which are called Van Eck radiation, are visible from as far away as 1 kilometer. It is obvious that a malicious hacker using the appropriate   equipment and without specialized skills could easily sit outside a building and eavesdrop passwords and other secrets displayed on any nearby user’s video screens and monitors. 

Ø 4. Keystroke Sniffing:

Shape 1.2 shows clearly a classic keystroke sniffing attack associated with most modern operating systems. In this type of attack usernames and passwords are captured directly from the keyboard input buffer. When the user enters the required authentication information in order to gain access to a computer system, this information is stored in a special area of memory RAM.  While the user enters information, another malicious attacker could run a sniffer program and retrieve the contents of the keyboard input buffer. As a result the user’s username and password is obtained by the hacker and can be used for later attacks {Shape 1.2}.

Shape 1.2: Keystroke Sniffing

Ø 5.Hardware Key Loggers:

A key logger is a hardware device that intercepts and stores strokes of a keyboard. This type of attack can be conducted very easily by a social engineer. The social engineer simply walks into the location of interest and plugs very professionally this small piece of hardware between the keyboard port and the keyboard.Assuming that most users place PC towers under their desks and most of them are unaware of hardware technology, key loggers can record all typed keystrokes and store them to their internal memory without user knowledge. 

Attacks on Password Storage:

Passwords have often been vulnerable to different kind of attacks when they are stored in huge databases and password files.Most modern operating systems ask from the user trying to grant access to systems resources, to enter his/her valid username and password. Then the operating system searches on the system’s password file for an entry matching the username. If the password in that entry matches the password typed by the user, then the login procedure succeeds and the user is authorized by the system. Shape 1.3 shows clearly how the password checking procedure works [1.3].

Shape1.3 Password Checking

The storage of any password immediately breaks one important rule concerned with password security: “Do not write passwords down”. If the password file containing all users’ passwords is stolen then automatically the intruder has direct access to all system’s passwords. The primary arguments against password storage can be stated as:

Single Point of Failure:If the password file is compromised then all passwords are compromised. Compromise of password file can happen due to:

  1. Poor encryption mechanisms or use of a weak master password, so its contents are easily accessed by a malicious hacker.
  2. Poor protection of the file itself.

Poor Audit Trails:Most operating systems keep logs used to review login failed password attempts. Usually these logs contain a large number of wrong usernames and passwords typed by users while they are trying to login on a computer or network system. If these logs are not well protected ,then attacks become easier. For example, a malicious attacker who sees an audit record with a nonexistent username of 7rs or eri67 can be sure that this string is a password or a part of the password for one of the valid users.

Software Bugs:

One important reason for the success of password attacks is sometimes based on badly designed operating systems and application programs running on them. These badly designed features because software bugs which do all the hard work for malicious hackers and continue to be a major source of many security problems.  

One recent software bug was found in the Solaris operating system. Users with low level privileges could force a network application program to end abnormally. As a result this program dumped its memory contents to the hard drive in a file available to all users. This file contained copies of the hashed password values that were normally stored and protected in a shadowed file. As a consequence this file could be used as input to Crack software for an off-line brute-force attack.

2.3 Countermeasures against these Attacks

Assuming all the above, it is obvious that attackers use several techniques to capture users’ passwords. In this section countermeasures against all attacks on passwords (describesin section2.2 Attacks on Passwords) are analyzed and listed in order:

Countermeasures against brute-force attacks:

A possible solution against login guessing attacks (or on-line brute-force attacks) is to have a password policy which specifies the maximum number of login failed attempts. System administrators by configuring the operating system could limit the number of failed login attempts allowed for each user. If the threshold is reached then the account should be locked and users will not be able to log until the system administrator arrives to reactivate the login process for the specific account.

It must be mentioned that using such defenses against login guessing attacks will only delay a hacker from accessing a system and gaining access to confidential information. Failed login thresholds will not prevent a brute force attack from occurring but will identify the attacking attempt to the security administrator. This defense method will deter a malicious attacker from initiating a brute force attack and increase the level of difficulty for executing this attack.

There is no actual defense mechanism against an off-line brute-force attack. This type of attack can be applied to any given password database. There are many cracking software’s available on the Internet which are capable of generating character sequences and working through all possible character combinations until the user’s password is found. The only defense mechanism against this type of attack is to have users that select and use “strong” password.

Countermeasures against dictionary attacks:

This type of attack could be eliminated by having a policy which simply prohibits the use of common words found in dictionaries or attacker’s word lists. If all generated passwords do not appear in such lists, then dictionary attacks will not succeed.

Besides system administrators should perform themselves dictionary attacks to test users’ passwords within an organisation. If any passwords are compromised, then they must inform the users directly of the results and obligate them to change their passwords to more secure ones.

Countermeasures against Social Engineering attacks:

Education and user awareness must be supported by the organization’s global security policy. The users should understand the importance of keeping their passwords secret and be familiar with the different ways that a social engineering attack can be conducted against them. In this case, people are able to take the necessary steps to react accordingly when such a situation occurs. Besides this, companies shouldshred all printouts having usernames, passwords and other similar confidential information in order to prevent dumpster diving attacks.

Countermeasures against Network sniffing attacks:

Today’s hackers are using many network sniffing programs to retrieve users’ passwords, while they are transmitted over distant networks or inside organization’s corporate network. Most businesses facing this threat and considering the consequences due to this type attack implement and use different network protocols for the secure transmission of confidential information. More often organizations indicate detailed security policies that specify ways, encryption methods and protocols to be used for the secure transmission of any important information. The most important defense mechanism against network sniffing attacks is the use of well-known secure network protocols such as SSL/TLS and IPSec protocols. These protocols have the ability to build secure channels based on cryptographic keys, shared between trusted parties, for the safe transfer of passwords and other confidential information in any system’s network

Countermeasures against Trojan Login:

A defense mechanism against Trojan Logins is to have a trust path for all functions that require users to enter or present authentication information for purpose of authentication. This trusted path must be established between the user trying to login and the operating system. Secure Attention Sequence (or SAS) is a trusted path mechanism used in many modern operating systems such as Windows 2000. When user requires to log on, by executing the sequence Ctrl+Alt+Del is guaranteed that he is communicating with the operating system and not malicious software such as Trojan Login.

Another important countermeasure against this type of attack is the installation of commercial available anti-virus software programs (such as Norton Antivirus and MacAfee Antivirus). These anti-virus softwares have the ability to detect and prevent sniffing attack programs such Trojan Logins to be installed, downloaded and operate in operating systems. 9

Countermeasures against Van Eck sniffing attacks:

The types of countermeasures used to protect against Van Eck Sniffing attacks are known as Transient Electromagnetic Pulse Equipment Shielding Techniques (TEMPEST). The U.S TEMPEST standard is one guideline that manufacturers have to follow in order to reduce electromagnetic signals and prevent these types of attacks against passwords and other secrets displayed on video screens and monitors. TEMPEST mechanisms include Faraday cages, white noise and control zones. A Faraday cage is a box, a room or an entire building that is designed with an external metal skin that fully surrounds an area on all six sides. As a result all electromagnetic signals transmitted from PC’s monitors are blocked inside the building, preventing eavesdroppers from revealing users passwords.  

Countermeasures against Keystroke sniffing attacks:.

 A good defense mechanism against keystroke sniffing attacks is to protect CPU’s memory. In particular the keyboard input buffer is the exact location where keystrokes typed by users are stored. It is clear that this area should be protected using various encryption techniques in order to become impossible for an intruder to retrieve its contents in plaintext form when they are intercepted. 

Countermeasures against Hardware Key Loggers:

There are not well-known defense mechanisms against Hardware Key Loggers. The only countermeasure against them is to state clearly in the organisation’s password policy that all sides of electronic equipment, and especially computers, should be visible to users and security officers. Moreover system administrators may be obligated to check all hardware and electronic devices plugged on users’ computers, or forced to check all hardware connections in computers rooms periodically.  

Countermeasures against Password Storage attacks:

The types of defense mechanisms against password storage attacks include the use of various encryption and hashing techniques. These techniques are used to encrypt password files and never leave passwords exposed in plaintext form. Usually modern operating systems (Windows, UNIX) use one-way encryption systems to encrypt users’ passwords. In one-way encryption systems the password is transformed in such a way that the original password can not be recovered. When a user is logging onto such a system, the password that is entered by the user is one-way encrypted and compared with the stored encrypted password. The same encryption method and key must be used to encrypt the valid password before storage and to encrypt the entered password before comparison.

Besides the use of one-way encryption, strong access control mechanisms (such as Role-Based and Clark-Wilson access control models) should be enforced and applied to the files that keep system’s hashed passwords. Without implementing tough access control mechanisms, the operating system is unable to check who is accessing these files. As a consequence an adversary could easily copy them and mount different kinds of attacks on them.

Countermeasures against Software Bugs:

As was mentioned in the previous section (section 2.2 software bugs), sometimes badly designed features in operating systems and applications can lead to software bugs which do all the hard work for malicious hackers. A defense mechanism to prevent such software bugs is to have a good software design. Software should be designed in an organized way keeping procedures simple, reviewed periodically for vulnerabilities and threats, and hardened with the latest patches.  Where a software bug is found in any operating system or application, people discovering it should report this problem directly to the security officer and the correspondent company selling and providing licenses for this specific product should be informed to solve this problem.

3. Password Policies

3.1 Introduction

Password policies are necessary to protect the confidentiality of information and the integrity of systems by keeping unauthorized users out of computer systems. Usernames and passwords are the fundamental protection of computers and networks against intruders. Password policies specify rules about the secure administration of usernames, rules used to define valid passwords and the type of protection needed for secure password storage. Α password policy is a good place to start to build the security of a company’s network and protect its assets. The next sections discuss issues related to the secure usage and management of both usernames and passwords.

3.2 Administration of Usernames

The front gate within an organization’s network is where the user or the service identifies themselves and presents some type of authentication information only known to them in order to grant access. The failure to have a reliable Login Security Policies activated is like having a big building with the best guards and security mechanisms around it with the main front gate open to anyone.

3.2.1 Login Security Policies and Usernames

Within a secure system, the first thing that should be expected for any login attempt is to identify who is the person requesting entry. Regardless of the protocols used, you need to know who is trying to access the network services and who they want the network services to think they are. In high-security military environments the user identifications are assigned based on a random sequence of characters. Other organizations, such as commercial, use something that can uniquely identify the user without worrying about how to create usernames.

If the usernames can give away information about the organization, then the implementation of random names could be a good solution. Although by using these random names, users tend to write them down and stick them in front of their monitors. If they are writing their usernames they also could be writing their passwords. This might obligate system administrators to assign usernames that are easily remembered.

3.2.2 Other Policy issues related to usernames

There are also other policy issues raised from usernames. Except the policy issues related with the creation of usernames, procedures need to be employed that guide in the overall management of usernames. Administration of usernames consists of the procedures that drive the management of generation, destruction and revocation of those names. It is obvious that good management for usernames is needed and must be strongly undertaken within a large organization. 

3.3 Password Management

After usernames, passwords become the front line of protection and defense against intruders. Companies may have specified good policies about maintaining and assigning usernames, but one weak password can allow an intruder to open the door to the network easily. Password management policies are an important aspect of computer security and it is by far the most common user authentication method within the largest multinational organizations Password policies fall into the following categories:

Ø what constitutes a valid password

Ø The storage of those passwords.

The following sections (3.3.1, 3.3.2) discuss in more depth these two categories.

3.3.1 Policies Defining Valid Passwords

A variety of password policies and guidelines are publicly available on the Internet. Most of them establish and enforce a set of rules which are either required or recommended for the user to follow when creating a password. Such rules used for defining valid passwords may include:

Ø Passwords should contain a combination of upper and lowercase letters, digits and special characters (all printable ASCII characters)

Ø Passwords should not be a word that appears in a dictionary or word lists

Ø Passwords should not be based on well-known personal information

Ø Passwords should be memorized from users   

Ø Passwords should be replaced periodically  

Ø When old passwords are expired, new passwords should be completely different than the old ones. 

Ø Users should never share their passwords with others.

Ø Password length depends on the value of data it is used to protect.

3.3.2 Storage of Passwords

 Except the main properties that a valid password should have, a good password policy should also specify rules about the secure storage of passwords. Passwords should be stored in the authentication system in a manner which minimizes their exposure to disclosure or unauthorized replacement. Several methods have been used such as the so called "LOG ON" program. The file is protected by a file access mechanism which checks a protection bit in a file access table. Only the privileged LOGON program has access to read and write the file. In addition these systems encrypt the passwords using one-way encryption systems (described in section 2.3: countermeasures against password storage attacks) using a Data Encrypting Key (DEK) or the password itself as a key.

Policies related to password storage should state and specify the type of protection provided to the passwords which must be proportional to the protection desired for the system or data. Furthermore they should indicate access control mechanisms used to control access operations performed on files containing system’s passwords.

3.4 Risks due to inadequate Password Policies

Password policies are necessary to protect companies’ assets. However, not all companies realize the risks they are posed due to poor password policies. The risks include user confusion, system denial-of-service attack issues, loss of income, disclosure of sensitive marketing and plan strategies, loss of productivity and user education problems, if the password policy is not communicated clearly to the users.

Today’s companies don’t take password security too seriously. However, the password policy is a good place to start to build the security of a company’s network and protect its assets.

3.5 Users and Password Policies

Password polices need to be sensible and reviewed periodically for legal issues, human factors and their cryptographic strength of protection. It is obvious that people play an important role to the establishment and maintenance of a well-defined password policy. All people related to password policies such as administrators, security officers, managers and users should co-operate and take all the appropriate steps necessary for a successful company strategy on security processes.

4. Techniques for Remembering Strong Passwords

4.1 Introduction

Despite all the sophisticated password generators and data encryption systems available today, passwords typically remain the weakest link in the security chain. That happens because both users and system designers of computer systems tend to different directions.

In one hand system designers prefer hard to guess and complex passwords which are usually generated using random password generators (PA.ME.SYS). On the other hand, users: a) use easy to guess passwords, b) use the same passwords across all systems, c) keep records of their passwords and d) forget them from time to time. As a consequence passwords remain a big headache in most organizations and agencies which are trying to find alternative solutions to overcome problems related to weak password choices. Computer experts try to develop and implement modern techniques for helping and improving user's memory with remembering “strong” passwords. Such techniques are discussed in the next three sections 

4.2 CryptogicTM Password Protocol

In 2004 Sean Gilberston and Murli Bhamidipati proposed a method called “The CryptogicTM Password Protocol” which provides a simple way of helping people to select and remember passwords that are considered to be “secure”. The basic idea behind this method is described in the next three simple steps:

  1. In step one, the user first decides on a fixed part which never changes and is typically made up of words or letters.
  2. In step two, the user decides on a single rule which will be used to derive the variable part of the password, from the system or the website user is logging into. The variable part of the password usually produces digits.
  3. In step three, the user decides how to add the variable part to the fixed part.

The fixed part represents a word that a user can always remember. This word stays the same across all passwords and it should be within 5 to 10 characters. The variable part is a digit which may represent:

  1. the number of characters in the name of the webpage the user visits,
  2. the number of vowels in user’s first name,
  3. the number of characters in the name of the computer/network system user logs on,
  4. the number of times a particular letter (vowel or consonant) appears in the name of webpage or computer or network user logs.

Then user decides how to add the variable part to the fixed part in order to make up the final password. For example a user may add the variable part to the end of the fixed part or to the middle of the fixed part or to the beginning of the fixed part.

Assuming all the above information, there are some important disadvantages on the whole procedure used to construct passwords:

  1. The passwords generated do not include special symbols (e.g all 95 ASCII characters). As a result all passwords are composed only with mixed alphabetic characters and digits. These passwords are not resistant to brute force attacks
  2. NIST Guidelines state that all passwords should not be related to organization’s computer or network names which may be known by an attacker (e.g. social engineer).
  3. Most cracking software’s available on the Internet have the ability to allow the hacker to define rule sets that control the transformations that are applied to the input dictionaries. As a consequence most of the passwords generated according to the Cryptogic Password Protocol are vulnerable to this kind of dictionary attack.

4.3 Mnemonic System for Bank PINs

Another method used by commercial banks in order to help their customers to easily remember PIN numbers is the use of “cards”. The customers were supposed to conceal their PINs in the following way [shape 1.4]:

“Suppose user’s PIN is 2256. User has to choose a secret word e.g. “blue”. Then the user is writing the four characters of the word “blue” in the second, second, fifth and sixth column of the card. The remaining empty boxes are filled with random characters (user-defined).” This process is shown in figure 1.11: 

1

2

3

4

5

6

7

8

9

0

E

B

T

W

Q

W

G

S

K

A

x

L

B

D

L

A

D

W

Z

D

G

K

M

G

U

P

H

J

F

Y

c

R

N

I

H

E

A

Q

B

M

Shape 1.4: Mnemonic System for bank PINs

It is obvious that this technique provides weak security for the following two reasons:

  1. A quick check on this card shows that a 4 by 10 matrix of random alphabetic characters may yield about two dozen words (unless there is an “s” on the bottom row). 
  2. This card may be stolen by an attacker for further analysis.
  3. The customer must carry this card with him in every bank transaction which increases the possibility of loosing it.

4.4 Passphrases

Another technique used to help users remembering strong passwords is the use of “passphrases”. A passphrase is a sequence of words or other text used to restrict access to a computer system.

Usually passphrases are considered to be more secure than passwords for the following reasons:

  1. First, passphrases are usually much longer (20 to 30 characters) than common passwords (8 to 10 characters) making them resistant to brute force attacks.
  2. A passphrase may be created with the use of a dice to select words at random from a long list. While such a collection of words might violate the rule "do not use words found in dictionaries", the security is based on the large number of possible ways to choose from the list of words and not from any secrecy about the words themselves.
  3. If passphrases are well chosen and contain digits or special symbols, then they will not be found in any ‘phrase or quote’ dictionary. As a result dictionary attacks will be impossible to crack such passwords.
  4. . Passphrases can be so structured as to be more easily remembered than passwords without being written down, reducing the risk of having social engineering attacks.

5. Analysis of a Password MnemonicSystem based on favorite Pass Phrases

5.1 Implementation and Testing

This section proposes a mnemonic system based on users favorite passphrases. A simple user can remember specific letters of their passphrase and apply them together to form their final password.

The mnemonic system proposed is based on a language called LEET (1337) is a written language or cipher used in online gaming, e-mails, text messaging, tweeting, and other electronic communication.  The root of the term "leet" is the word "elite"--translated as 31337--and 1337 was initially developed as an exclusionary language: a way to encode text so that messages could only be read by the initiated.  The defining characteristic of 1337 is substitution of symbols and numbers for letters (for example, in the term "1337," 1=L, 3=E and 7=T), but the language has also developed to include intentional misspellings, phonetic spelling, and new words.

A

4, /-\, @, ^, /\ , //-\\ /=\

I

1,!, |, ][, []

B

8, ]3, ]8, |3, |8, ]]3, 13%

O

0, (), [], <>, *, [[]]

C

(, { , [[, <, €

P

D, |*, |>, []D, ][D

D

), [}, |), |}, |>, [>, ]]), ?

Q

(,) or 0, or O, or O\ or []\

E

3, ii, €

R

2, |?, |-, ]]2 []2 ][2

F

|=,(=, ]]=, ph

S

5,$,š

G

6, 9, (_>, [[6, &

T

7, +, ']', 7`, ~|~, -|-, '][', "|", †

H

#, |-|, (-), )-(, }{, }-{, {-}, /-/, \-\, |~|, []-[],

U

(_), |_|, \_\, /_/, \_/, []_[], ]_[, µ

J

_|, u|,;_[],;_[[

V

\/ , \\//,√

K

|<, |{, ][<, ]]<, []<

W

\/\/, |/\|, [/\], (/\), VV, ///, \^/, \\/\//, 1/\/, \/1/, 1/1/

L

1, |_, []_, ][_, £

X

><, }{, )(, }[

M

/\/\, |\/|, [\/], (\/), /V\, []V[], \\\, (T), ^^, .\\, //., ][\\//][,JVL

Y

'/,%, `/, \j , ``//, ¥, j, \|/, -/

N

/\/, |\|, (\), /|/, [\], {\}, ][\][, []\[], ~

Z

2, z, 7_,`/_

Table1.5: “ LEET (1337) language”

Steps 1 to 6 describe the operation of the software developed for this mnemonic system:

Step1:

An Access Database with all “LEET (1337)” representations for each English alphabet character was created. Each letter has a constant number “n” (=8) of different representations. If for a given letter there is no “n” different letter substitutions, then the sequence “n” is repeated until the number of representations for this letter is equal to 8.

Step2:

The program gives the possibility to the user to type his/her favorite passphrase. This passphrase may consist of “t” different words.

E.g. If the passphrase is “Tolmon Nika” then the password will have two characters length.  

Step3:

The program extracts the first letter of each word and creates a string of “t” characters. This string represents the length of the password.

Step4:

The program uses the random function “CryptGenRandom” to produce one random number for each character of the string “TN”. This random function is a well tested function and has two of the properties of a good random number generator:

  1. Unpredictability
  2. Even value distribution.

The process for deriving random numbers (in CryptGen Random) and associating them with each character of the string is outlined in shape 1.6:

Shape 1.6: “CryptGenRandom”

The CryptGen Random function gets its randomness from many sources in Windows XP. Some of them are: the current process ID; the current thread ID; the current time; an MD4 hash of user’s username or password; high precision internal CPU counters; cache manager Data Pages; and context Switches.

Step5:

The program associates each character of the string with a specific “leet language 1337” letter substitution. The whole process is based on the following mathematical formula:

Where random number is the number generated by “CryptGenRandom” function and n is the number of different representations for each English alphabetic character. The result of this function specifies which “leet language 1337” character ,is going to replace the initial alphabetic character. Shape 1.7 illustrates how the whole process is working:

Shape 1.7: “Generating the final password”

Step6:

The procedure shown in Shape 1.7 is repeated for all characters of the string. After the generation of the user’s final password, the program distributes a document which illustrates how the final password was constructed

5.1.1 Implementation

The program PA.ME.SYS described in previous section was implemented using Visual Basic programming language. The source code together with comments explaining the operation of each function is in <<Appendix [2] Source Code (Visual Basic)>>.

The source code is divided into six parts. Each part is responsible for a different operation in the whole procedure used to produce the final user’s password.

Part1: 

This part is the start of the program which has the two functions first is installing and second is cancel the installation the program

Part2:

In this part of the program is a first instruction on where to see License Agreements and to continue must first choose I agree this agreements and push the button next

Part3:

Load the program of Pa.Me.Sys

Part4:

Is ready to write the favorite proverb or translation

Part5:

Is finished the job

Part6:

And the finally part is to thanks how use my program

Exportdata: This process performs a checking operation each time a passphrase is entered. More specifically it performs the following three checks:

  1. converts string to lowercase letters
  2. removes leading and ending spaces from sentence (passphrase)
  3. taking precautions for double, triple ...etc spaces

The importance of the above checks is that the program avoids errors that may occur while a user is typing his favorite passphrase.

After this, the process counts the number of words and extracts the first letter of each word in the passphrase. All the extracted letters are moved into an array. The program places a zero at the end of the array to indicate the end point of the string. This array represents the initial password.

Generatepassword: This process a) opens a connection visual basic Database and b) calls the “(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load)” which generates a random number or for each character of the initial password, for each random number and produces the final password.

Part3: This part simply opens a connection to access the visual basic Database. This database contains all letter substitutions for English alphabet according to “l33t language”.

5.1.2 Testing

1) First test for the passphrase “ti giannis ti giannakis ” the passwords generated using the PA.ME.SYS are:

Some Possible Combinations

1. +6][6

1. ']['9-|-[[6

2. ']'&†6

3. ~|~6']'&

4. 7`&†9

5. -[[&†9

2) Second test For the passphrase “einai duskoli wra” the passwords generated using the PA.ME.SYS are:

Some Possible Combinations

1. 3[}[/\]

2. € ii(/\)

3. [>\/1/

4. €)\^/

5. [>|>\/\/

6. €|)\/1/

3) Third and last test For the passphrase “Tolmon Nika” the passwords generated using the PA.ME.SYS are:

Some Possible Combinations

  1. T[\]

  2. ~|~/\/

  3. -[[|\|

  4. 7`[\]

  5. †/|/

  6. ~|~{\}

5.2 Advantages

1. Resistant to brute-force attacks:

The first advantage of the generator system developed in this chapter is that it produces passwords that are resistant to brute-force attacks. That happens because passwords are composed with all 95 printable ASCII characters and the length of each password is dependent on the number of words in the user’s passphrase. If an organization’s password policy compels users to use passphrases of 10 words then all passwords generated will have 10 characters length which results in a very large number of possible password combinations (9510 possibilities).

2. Impossible to conduct dictionary attacks:

All the passwords produced using the PA.ME.SYS generator are not related to words which can be found in dictionaries. All the passwords it generates contain special symbols (!@#$%^...) and digit numbers (0-9) which cannot be found in dictionaries. These passwords are not related to a specific user and they are not based on user’s well-known personal information (children’s name, username, cities, driving license numbers, telephone numbers and so on).

3. Same passphrase results in different passwords:

In the case where two users enter the same passphrase the possibility to have two identical generated passwords is too small. The number of different password combinations for an 8 character password, where each character could be represented by n=8 different letter substitutions, is:

Password Combinations = Password Length n=number of letter substitutions = 88 = 224

Therefore the possibility of having one passphrase which gives the same password twice is 1 / 224 which is a very small number. If an organization’s password policy wishes to prevent such a possibility then all produced passwords may be stored in the computer system’s database. Each time a new password is generated, it should be filtered using this database in order to prohibit same passwords to be issued to two different users. Besides the computer system which generates and stores organization’s passwords should:

  1. Not be connected to the Internet or company’s network,
  2. Be locked,
  3. Only authorized people having access to it.  

4. Built-in random function (Password Source):

FIPS PUB 112 indicates that if passwords are generated by the system, the method of generation should not be predictable. The PA.ME.SYS generator uses the function “CryptGenRandom” to produce random numbers. The CryptGenRandom function gets its randomness from many sources in Windows. Each time PA.ME.SYS system is activated to produce passwords a different random seed is used as input. This method gives strength to PA.ME.SYS system and makes the attacker’s task to predict or guess the seed much more difficult.

5. PA.ME.SYSproduces passwords that are easily memorized by users:

All passwords produced using the PA.ME.SYS generators are depended on input users’ passphrases. Each time user requests access entry to computer or network resources he just recalls the correct passphrase and extracts the first letter of each word. That means that users’ passwords are easily remembered without being written down.

6. Easy to learn l33t language:

All passwords generated are based on “L33t language”. “L33t” is an Internet based language reliant on the keyboard and it is characterized by the use of non-alphabetic characters (special symbols and digits) to stand for letters. Assuming that all people have access to Internet and are registered to email accounts or sites or other online communities and they are familiar with such symbols then they can use them easily without getting confused.

7. Password composition:

All passwords generated using the PA.ME.SYS systems are composed using the subset of 95 graphics characters specified in FIPS PUB 1-2. PA.ME.SYS password generator system verifies that all passwords produced consist of valid characters specified in this subset.

8. Password length:

The PA.ME.SYS password system gives the possibility to the Security Officer and System Manager within an organization to specify the minimum length of all passwords to be generated. This is achieved by obligating users to use passphrases with a specific number of words. The passwords produced will have the required length of characters.

9. Password lifetime:

FIPS PUB 112 states that password systems should have the capability of replacing the password quickly, initiated either by the user or the Security Officer. The PA.ME.SYS password system gives the ability to the user to replace his/her password quickly and easy after company’s request. This is achieved by entering a new passphrase into the system to generate a new password.

10. Error checks:

The PA.ME.SYS password system enforces a function (export data) to check errors during input. In other words the system avoids errors that may occur while a user is typing his favorite passphrase.

It should be mentioned at this point that the added value of this mnemonic system is not the implemented program itself, but the idea behind a scheme of generating hard to break and easy to remember passwords. This password system is a proof of concept of the initial idea and it can be enhanced using the future recommendations discussed in the next section.  

5.3 Future Recommendations

1. Documentation:

An effective password management policy should require the active cooperation of all users involved in the process of generating good passwords. It is important to provide all necessary documentation and tutorials to explain how their passwords are created. Each time a new password is generated the program could issue a document of how the user’s passphrase was used to create the final password. By applying this method, users will clearly understand the basic idea behind PA.ME.SYS password system and will help them to remember their strong passwords easily. It really is worth the effort to make users feel personally involved in implementing the password policy.

2. Website creation of www.Pa.Me.Sys.gr:

In the future could be created some additional features such as a website pa.me.sys.gr that would create passwords and codes. The website would be easy in use and would serve on advertising and familiarize the users with Pa.Me.Sys program.

3. Selection of specific letters:

The PA.ME.SYS password system can be enhanced by having an option to allow users to select the letters they wish from their passphrases. The program implemented in this chapter extracts by default the first letter of each word in the user’s passphrase. It could be a good idea to allow users to select the characters they want which may be easier for them to remember. 

4. Password Length:

The number of words that the user will enter as input to form his passphrase, indicates the length of the final password. If the organization’s password policy specifies that users should use passwords of 12 characters in length, then it is clear that they are obligated to find and use long passphrases (consist of 12 words) which is considered to be difficult. It would be a good idea to implement an algorithm which produces passwords with the desired length indicated in an organization’s password policy and it is independent of the size of the passphrases entered. This method does not compel users to search and be confused with long passphrases which may be required to generate long passwords.

5.4 Password Policies and PA.ME.SYS

Assuming all the above issues, it is obvious that PA.ME.SYS system enforces password management policies and handles problems related to passwords. More specifically it is responsible for the production of hard to break and easy to remember passwords that comply with the desired length, composition, lifetime and source of passwords specified in Password Usage (FIPS PUB 112). Other issues related to passwords management should also be considered when designing and implementingPA.ME.SYS password generator system. For example, if the organization’s password policy specifies that all passwords should be generated using the PA.ME.SYS system, then these passwords must be distributed in some way to the users. A tough password policy may state the following:

“Each user must enter company’s private room in which he applies a passphrase (which contains an exact number of words that is stated in the organization’s password policy) to generate his secret password. Then using the document which describes how his/her password was created, he/she should memorize it. After memorizing the password, he should close or reset the program (e.g. destroying the passphrase and password) and never write down the generated password after leaving the room.  

Other security issues include the secure transmission, storage, ownership, entry and authentication period of all passwords generated using PA.ME.SYS system. These issues are dependent on an organization’s global security policy and should be seriously analyzed in order to have an effective password policy.

6. Conclusions

Passwords are an important aspect of computer security. Passwords are the only user-friendly method used to identify a user and grant access to an organization’s system resources. They are the front line of protection for the user terminals, the confidentiality of information and the integrity of systems by keeping out all unauthorized users.

The first chapter of this Project discusses the importance of passwords in today’s businesses and states clearly the reasons that passwords are widely used within an organization’s security framework. It also emphasizes the fact that they need to be managed properly in order to provide the same level of security as a more modern security mechanism. This is achieved by enforcing specific rules for the complexity, generation, storage and distribution of passwords throughout a strong security policy.

From the analysis of the first chapter it was clear that the usage of passwords as an authentication technique increases the possibility for an information system to be compromised. That happens because these passwords are directly connected to the way that users are managing them. As a consequence passwords are the weakest element inside the security chain of an organization’s network system and are susceptible to different types of attacks.

The second chapter of this project describes the multiple techniques used by intruders to launch attacks against password based authentication systems and proposes different defense mechanisms to eliminate such attacks. From this analysis it was made clear that the effective implementation of the proposed countermeasures cannot be achieved without being well planned and systematically applied within organization’s security framework. In order to achieve this, the need for a well defined password policy is crucial.

The third chapter of this project makes a critical analysis of a password policy which may be used within an organization to enforce rules for the secure generation, storage and distribution of passwords. In more detail this policy specifies rules for defining strong passwords and proposes techniques for the secure storage of these passwords. It also considers the risks due to inappropriate security polices and proves that users play an important role to the establishment and maintenance of a well-defined password policy. The results derived from this chapter were that the password policies are undoubtedly an important aspect which ensures that passwords are properly selected and managed within an organization’s security framework. Besides, it was shown that there is a need for password policies to use password generators. These generators compel users and administrators to use passwords that are only selected by them and they meet certain security criteria.

The fourth chapter of this report a search was conducted for different techniques that are used to improve users’ memory and to facilitate them to remember strong passwords. The operation of each technique was examined together with their limitations. A mnemonic system was also proposed to help users to easily remember passwords based on their favorite passphrases. This mnemonic system was designed using data flow diagrams which clearly show the processes and data that make up the system, and implemented using visual basic programming language which clearly shows in a graphical environment how the system works.  The added value of this mnemonic system was not the implemented program itself, but the idea behind a scheme of generating hard to break and easy to remember (using full printable character set) passwords. This password system was a proof of concept of the initial idea and it could be enhanced using the future recommendations

In the last chapter of discusses the main features of a password mnemonic system (Pa.Me.Sys) which is activated to handle password management problems and enforce password management policies within an organization. This password generator system, which is proposed by the National Institute of Standards and Technology (NIST), is analyzed for the processes it applies in order to produce of pronounceable passwords. These pronounceable passwords are easy spelled and have no association with a specific user.

The results derived from the development of this system were that it enforces password management policies and handles problems related to the selection of “secure” passwords. In more specific this system is responsible for the production of hard to break and easy to remember passwords that comply with the desired length, composition, lifetime and source of passwords specified in most password guidelines. Other issues related to passwords management should also be considered when designing and implementingthis password generator system. Such security issues include the secure transmission, storage, ownership, and entry and authentication period of all generated passwords using this system. These issues are depended on organization’s global security policy and should be seriously analyzed in order to have an effective password policy.

As a conclusion, passwords are an important aspect of computer security, they are the only user-friendly method used to identify a user and they are necessary to protect the confidentiality of information and the integrity of systems. Usually these passwords are created using password generators. These passwords are not easily remembered, they are complex, they need to be changed frequently, and the users have to read long instructions and guidelines on how to keep them secret. As a consequence users tend to write them down and violate organization’s security policy. It is obvious that other techniques, such the mnemonic system described in the last chapter of this project, should be enforced and implemented in order to help people with remembering strong passwords easily. These techniques should aim to make people feel personally involved in the generation of their passwords and understand the consequences due to poorly chosen passwords. Moreover an organization could employ multi-factor authentication mechanisms to provide stronger security. The passwords (“anything you know”) generated using the developed mnemonic system (in chapter 7) could be used in combination with smart tokens (“anything you have”) or biometric identifiers (“anything you are”). In this way the users are providing knowledge of two different things in order to gain authorized access to system resources. Finally all people related to password policies such as administrators, security officers, security managers and users should corporate and take all the appropriate steps needed for a successful company strategy on security processes.