OBSERVATORY Instituto Nacional

Notebook
de Tecnologías
de la Comunicación

PASSWORD MANAGEMENT

Passwords are the first historically defined security level in the computing world. As soon
as the ‘multi-user’ concept was introduced in early UNIX machines, it became necessary
to protect the access process by some method. A user who shared a computer did not
have to be able to access another user’s resources, let alone have the same level of
control as the administrator. In those days, the easiest way to solve this was to create a
password that only the user knew, in order to ensure that the user was the only person
with access to their own resources.

From that moment on, and thanks to the popularisation of networks, protecting the remote
access also became a necessary task. Since then the authentication methods have
evolved in complexity and effectiveness. Nevertheless, apart from other methods such as
tokens and biometrics, the password has always been the formula par excellence to
secure the access to different resources, both locally and online. This report overviews
different types of possible attacks against passwords and the most appropriate methods
to choose and manage them.

I General recommendations

During 2010, Imperva has undertaken a research on the worst practices in the use of
passwords 1 . This study is based on the analysis of 32 millions of real customer passwords
which were taken from a web service and published in December 2009. The most
interesting conclusions drawn from the research are the following:

a. Approximately 50% of passwords were made up of 7 or less

characters. Passwords must have at least 8 characters. In order for
passwords to be of a suitable length as well as easy to remember, it is
possible to use full sentences taken from songs, poems or the like, which
the user is able to evoke easily and which, though complex, are familiar
to them.

b. 40% used only lowercase letters. A robust password must have the
highest possible number of different characters and character
combinations, i.e. to include uppercase and lowercase letters, numbers
and symbols. For instance, you may use question marks, punctuation
marks, etc. to create a much more complex password.

1
The Imperva Application Defense Center (ADC), 2010. Consumer Password Worst Practices. Available on:
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf

Password management Page 1 of 14

Information Security Observatory
In addition to what the above mentioned study showed, further advice on passwords may
be added: it should not be a known word that can be found on a dictionary. If only one
word is used as password, this word should not exist, i.e. it should be completely random.
To achieve this, you can use existing words and add symbols at the beginning, end or
middle of them. This recommendation is not necessary if full sentences are used, as
previously mentioned.

Another useful tip is not to use the same password for different web services or devices,
and avoid the use of personal data such as the birth date, telephone number, simple
combinations such as "12345", "abcde", etc. Various reports 2 show that it is common
practice to use the same password for different web portals or services. This entails a
great risk since, in the event of a potential security problem which could expose the
password to an attacker, it would be really easy to access other resources of the victim
using that password. The use of different passwords involves the need for managing them
in an optimal way, as explained below.

It is necessary to reach a compromise between ‘easy-to-remember’ and ‘effective’. What

is essential is its structure, even more than its possible complexity. To combine an easy-
to-remember and suitably long structure with numbers and symbols may be the most
appropriate decision.

By following these straightforward tips, it is possible to prevent the password from being
discovered through the attacks described below.

II Common attacks

The password, as a means to access a variety of resources, has always been an

attractive target for hackers. Consequently, the methods to obtain it have existed since the
passwords themselves exist. The most usual attacks are:

a. Dictionary attacks. There are lists with hundreds of thousands of words

contained in publicly available text files in all languages. These are used
by automated software programs to carry out dictionary attacks. These
attacks try each of these words against a protected resource until one of
them is the valid password. There are programs capable of trying tens of
thousands of passwords per second, taking advantage of the processing
power of today’s computers. Furthermore, there are also specific
programs which are used against particular services or resources (e.g.
against mail servers, FTP accounts, etc) and are freely available on the
Net. Hackers usually choose a username (victim) and attempt to find the
valid password by continually trying all dictionary words in order to ‘crack’

2
Available on: http://www.telegraph.co.uk/technology/news/6125081/Security-risk-as-people-use-same-password-on-all-
websites.html, http://www.readwriteweb.com/archives/majority_use_same_password.php

Password management Page 2 of 14

Information Security Observatory
 the password. If the password-protected system does not prevent this
attack through blocking the access after a given number of attempts, the
attacker can make as many attempts as desired. It is possible to find
thematic dictionaries with huge lists of words relating to a specific topic
(women’s names, men’s names, jobs, etc.) according to what may fit
better with the victim’s profile.

b. Brute force attacks. These are mainly based on the same technique as
that of dictionary attacks. The difference is that this method goes a step
beyond trying all possible combinations for a given set of characters, and
not only dictionary words. This means that if, for example, the objective is
to guess a password of 6 characters or less, the attacker will start by
trying the “a” password, successively adding characters: "aa", "aaa",
"aaaa", aaaaa", "aaaaaa", then "aaaaab" etc., and ending with "zzzzzz".
In this example, if only lowercase letters are used, the combinatorial
analysis yields a value of 481,890,304 possible attempts. Thanks to the
power of current operating systems, trying all these possible passwords
may take just a few hours or minutes. This procedure is called "password
cracking” in computer slang.

There are also web services where a user could send, for example, a
password-protected file and, upon payment of a fee, this could be
hypothetically deciphered and sent back to the user. These services are
usually based on brute force techniques implemented by tens of
computers in order to be capable of trying all possible combinations.

Figure 1: Website providing password cracking services

Source: INTECO

Password management Page 3 of 14

Information Security Observatory
 c. Network attacks. Passwords can travel across the Network in clear text,
i.e. they are not encrypted in any way and any hacker with access to the
traffic transmitted from our computer could see the password (and use it).
For this to happen, two scenarios may take place. The computer could
be infected with a trojan horse, or some attacker could be located in the
internal network (connected to the same router as the victim) searching
for that type of information. In wireless networks, the fact that an attacker
moves on the same network is simpler than it seems, since they do not
need to access the router physically to achieve this. In order to prevent
these data from travelling in clear text across the Network, you need to
make sure that encryption is being used (e.g., SSL for web) to access the
different web resources.

Figure 2: Hacker viewing a FTP password that travels across the local network in clear text

Source: INTECO

d. Social engineering. This is one of the most effective methods and with
the greatest number of variants which an attacker can use to obtain a
victim’s password. This technique uses deception or persuasion
mechanisms to cause the victim to reveal the desired information without
feeling threatened. It may be, for example, a telephone call or email
addressed to the victim, by which the attacker pretends to be technical
service requesting the password. It is also usual to investigate the user’s
habits, personal tastes, etc. with the purpose of getting a more accurate
profile. By making use of this information, the hacker could subsequently
carry out a much more effective dictionary attack. Therefore, social
engineering can be used as a complement to improving these attacks.

Password management Page 4 of 14

Information Security Observatory
 Many websites providing password-protected content (e.g. email
systems) generally have a password retrieval system based on
answering a specific secret question, which is usually a piece of personal
information that very few people know. If that information is revealed (or
some clue leading to the answers to these questions), other services
used by the user could be compromised. The attacker only needs to
pretend to be the victim who has forgotten the password and provide the
correct answer as a guarantee that it is the legitimate owner of the file
who requests the password. If the data entered by the victim are valid
(e.g. “name of the school where you studied” or “your mother’s second
surname”), the attacker could have access to the password-protected
website without needing to know the password.

Figure 3: Secret question required to be able to reset a password in Yahoo Mail

Source: Yahoo.es

e. Shoulder sniffing. This technique consists of spying users when they

are using their passwords in order to track their keystrokes, or viewing
them on the screen if the system does not use typical hiding by asterisks.
In order to be successful, the attacker must be physically located next to
the victim. This situation is common in public places with Internet access,
such as cybercafés.

Password management Page 5 of 14

Information Security Observatory
 III Password management software

Password management software helps to manage passwords securely, without needing

to remember all passwords required. In addition, they also enable their storage (and
sometimes their creation) using strong encryption in a comfortable way.

They are usually based on the strong encryption of a file, which will store and sort all
passwords. To access the encrypted file, the user will have to remember one single
password, which is usually known as “master password”. This password will allow
decrypting the file and, as a result, accessing the rest of the stored passwords. Therefore,
it is vital for this master password to be highly robust so as not to compromise the other
passwords. It is also extremely important that this password is not noted down or divulged
in any way.

Let us see now some of the most effective, free software tools in this aspect.

PasswordSafe

This is one of the most popular, free open-source software programs. The latter feature
ensures that the tool will not contain any backdoors allowing its authors to collect any
user’s data. The fact that the passwords are processed with public cryptography
guarantees their security (at least through the methods known so far). It has a version that
works on any operating system and is really easy to handle.

The program creates a file with the psafe3 extension. It will store all the encrypted
passwords entered by us. This file can be transported safely within a USB key or any
other device since, unless somebody knows the master password, the data will not be
accessible.

The first step is to create a new database to store the passwords. The program allows you
to create as many databases (psafe3 files) as desired. When it is first executed, it asks
the user to enter the future master password. It is important for the user to choose a long
password, mixing symbols, numbers, uppercase and lowercase letters, etc. and never
write it down anywhere.

Password management Page 6 of 14

Information Security Observatory
 Figure 4: Initial window in the installation of PasswordSafe

Source: INTECO

If the user loses this password, they would not be allowed to access the database.

Figure 5: Master Password creation dialog box in PasswordSafe

Source: INTECO

Once the database is created, it is possible to include as many passwords as the user
wishes. The program will display in tree format all grouped and accessible passwords.

Password management Page 7 of 14

Information Security Observatory
 Figure 6: Creating a password within the PasswordSafe database

Source: INTECO

In order to access the passwords, you will only need to open the program and double click
on the desired password. This will be sent to the system’s clipboard, being able to be
pasted on any page requiring it. By doing this, the user does not even need to know the
password to use it. If desired, it can also be viewed and entered manually using the
keyboard.

Password management Page 8 of 14

Information Security Observatory
 Figure 7: Passwords can be viewed In PasswordSafe

Source: INTECO

PasswordSafe enables the generation of random passwords according to certain rules

that can be defined by the user: length, combination of lowercase and uppercase letters,
use of different characters, etc.

Figure 8: Password generation policy in PasswordSafe

Source: INTECO

Password management Page 9 of 14

Information Security Observatory
The software program remains stored on the Windows inbox. In order for it to be activated
and display the password tree again, you will need to double-click on its icon. If the
configurable amount of minutes during which it is inactive has been exceeded, the
program will get blocked and it will be necessary to enter the master password again in
order to have access to the password tree again. This prevents somebody with physical
access to the system from being able to open the program after a period of inactivity.

It is available in Spanish in an earlier version of the current English version (with fewer
functions).

It is available for download on: http://passwordsafe.sourceforge.net

KeePass

This is a free open-source software tool. It can be used on all types of platforms, from PC
to smart phones. It is more complete than PasswordSafe, with additional features and
facilities.

For instance, it allows the use of files to protect the database. This means that the user is
not only protected with a master key, but also has the possibility of protecting the access
with any file (mp3, text file, etc.), which is given the name of key file. A potential attacker
would not only need to know the password, but also to possess the specific file to be able
to access the database.

Figure 9: Master Password creation dialog box in KeePass

Source: INTECO

Its basic functioning is really similar to that of PasswordSafe. It generates a file encrypted
with a master password, with a key file or with both, which will store the rest of the
passwords in a tree structure.

Password management Page 10 of 14

Information Security Observatory
 Figure 10: Creating a password with KeePass

Source: INTECO

KeePass also permits to generate strong passwords. It is not the user who chooses the
password, but the program itself, respecting all the previously mentioned
recommendations or the guidelines established by the user, e.g. you can define a
minimum password length and a specific set of characters, including or excluding certain
symbols, characters, etc.

Password management Page 11 of 14

Information Security Observatory
 Figure 11: Password generation window in KeePass

Source: INTECO

Unlike the rest of the tools, this software accepts plug-ins 3 to improve its functionality. It is
available for different platforms and in different languages.

It is available for download on: http://keepass.sourceforge.net/

LastPass

LastPass is a recent piece of software which extends the basic functionality of other
programs within this category. It is not open-source, but it does have a free version.

The main difference from the rest of software tools analysed here is that LastPass permits
the storage of passwords in its servers, thus being securely available to the user from any
location after they have entered a master password. Consequently, it is indispensable to
create an account in the servers of the software’s authors as a first step.

3
Plug-in: additional software applications.

Password management Page 12 of 14

Information Security Observatory
This adds password back-up functionality, since as they are stored on third party servers,
if the user loses their local database, they will always be able to retrieve it from the
servers of the authors of the software.

Another big difference is that LastPass allows to automatically fill in the forms of the pages
that the user desires, thus not needing to remember, and let alone type, any password. To
achieve this, it makes use of plug-ins installed in the browser.

Figure 12: Account creation in LastPass servers

Source: INTECO

It also allows the automatic generation of passwords according to the guidelines specified
by the user.

Password management Page 13 of 14

Information Security Observatory
 Figure 13: Generation of secure passwords with LastPass

Source: www.lastpass.com

It is available in various languages and works on different platforms, browsers, mobile

devices and operating systems.

It is available for download on: http://lastpass.com

Password management Page 14 of 14

Information Security Observatory