Duke University | IT Security Office | Password Protection for System Administrators|

Password Protection for System Administrators

So, we all know that passwords are the first line of defense for computer security. The problem is that most people tend to choose weak passwords. There are several things that we can do to help ensure strong passwords. The first is to make certain users choose good passwords. For places where that is not an option, we should audit passwords.

Auditing Passwords

Auditting passwords is the process of examining the current password file and testing the passwords in order to determine if they are strong. The general means of auditting such systems is to use a password "cracker". Since different systems store passwords in different manners, it is important to use a password cracker which understands your type of password file. Broadly speaking, there are two main types of password crackers, those which understand Unix password files and those which understand Windows password files.

Windows
- Cain and Abel
- John the Ripper
Unix
- John the Ripper
- Crack version 5.0

Requiring Strong Passwords

Perhaps a better approach for ensuring the use of strong passwords is to validate the password's strength when it is being changed (of course, this assumes that your users are changing their passwords). Essentially, we will be applying the password cracker up front. Of course, the standard initial argument about this idea is that cracking passwords takes a long time and the users don't want to wait. Fortunately, because the password changing program already has the unencrypted password, this step doesn't take very long at all.

There are a handful of different ways to require strong passwords. Again, the easiest breakdown is to look at tools for Windows and tools for Unix.

Windows provides a Password Filtering API. The API passes the unencrypted new password to a function in a library. The function returns essentially a yes or a no as to whether or not the change should be allowed. This is the way that Microsoft implements its basic password strength checks. The University IT Security Office took the "cracklib" library (which is based on the Unix program: crack) and wrapped it into the Microsoft API. The result is the Duke Password Filter (thanks to John Straffin for fixing the installer). Running the executable on a computer will install the password filter, make the modifications to the registry and install a text dictionary which it uses to make its checks.
Unix has several different ways to intercept the password in order to validate it.
- The PAM Cracklib library comes installed on many versions of linux and is turned on by default. Unfortunately, the last time we checked, this module does not play nicely with Solaris's PAM implementation.
- A similar PAM module based on John the Ripper can be configured for Linux, Solaris and HP/UX.
- If PAM is not available on your platform, you may also want to consider npasswd. Npasswd is a replacement for the Unix "passwd" command which uses the cracklib library to validate the password before updating it.