CSC-STD-002-85 DEPARTMENT OF DEFENSE PASSWORD MANAGEMENT GUIDELINE Approved for public release; distribution unlimited. 12 April 1985 DEPARTMENT OF DEFENSE COMPUTER SECURITY CENTER Fort George G. Meade, Maryland 20755 CSC-STD-002-85 Library No. S-226,994 FOREWORD This publication, "Department of Defense Password management Guideline," is being issued by the DoD Computer Security Center (DoDCSC) under the authority of and in accordance with DoD Directive 5215.1, "Computer Security Evaluation Center." The guidelines described in this document provide a set of good practices elated to the use of password-based user authentication mechanisms in automatic data processing systems employed for processing classified and other sensitive information. Point of contact concerning this publication is the Office of Standards and Products, Attention: Chief, Computer Security Standards. Robert L. Brotman 12 April 1985 Director DoD Computer Security Center ACKNOWLEDGMENTS Special recognition is extended to Sheila L. Brand, DoD Computer Security Center (DoDCSC), and Jeffrey D. Makey, formerly DoDCSC, as principal authors of this publication. Acknowledgment is also given for the contributions of: Daniel J. Edwards, Mary E. Flaherty, Steven J. Padilla, DoDCSC, John J. Stasak III, Gregory L. Wessel and Bernard Peters, Department of Defense, Col. Roger R. Schell, formerly DoDCSC, and James P. Anderson, James P. Anderson & Co, who gave generously of their time and expertise in the formulation and review of this document. ii CONTENTS FOREWORD..................................................... i ACKNOWLEDGMENTS.............................................. ii CONTENTS......................................................iii INTRODUCTION................................................. 1 1.0 SCOPE...........................................................1 2.0 CONTROL OBJECTIVES..................................... ....2 3.0 DEFINTIONS............................................... 3 4.0 GUIDELINES.............................................. 4 4.1 SSO Responsibilities.................................. 4 4.1.1 Initial System Passwords............... 4 4.1.2 Initial Password Assignment............... 4 4.1.3 Password Change Authorization............. 6 4.1.4 Group IDs................................ 6 4.1.5 User ID Revalidation....................... 6 4.2 User Responsibilities.............................. 6 4.2.1 Security Awareness........................ 6 4.2.2 Changing Passwords........................ 6 4.2.3 Log into a Connected System.................. 8 4.2.4 Remembering Passwords.................... 8 4.3 Authentication Mechanism Functionality............ 9 4.3.1 Internal Storage of Passwords ............. 9 4.3.2 Entry...................................... 9 4.3.3 Transmission............................... 10 4.3.4 Login Attempt Rate......................... 10 4.3.5 Auditing.................................... 10 4.4 Password Protection.............................. 11 4.4.1 Single Guess Probability.................. 11 4.4.2 Password Distribution ...................... 11 APPENDIX A: Password Generation Algorithm................... 13 APPENDIX B: Password Encryption Algorithm................... 13 APPENDIX C: Determining Password Length..................... 17 iii APPENDIX D: Protection Basis for Passwords.............. 23 APPENDIX E: Features for Use in Very Sensitive Applications 25 APPENDIX F: On the Probability of Guessing a Password..... 27 REFERENCES.................................................. 31 iv INTRODUCTION In August 1983, the DoD Computer Security Center published CSC-STD-001-83, Department of Defense Trusted Computer System Evaluation Criteria. That publication defines and describes feature and assurance requirements for six hierarchical classes of enhanced security protection for computer systems that are to be used for processing classified or other sensitive information. A major requirement common to all six classes is accountability: "Individual accountability is the key to securing and controlling any system that processes information on behalf of individuals or groups of individuals. A number of requirements must be met in order to satisfy this objective. "The first requirement is for individual user identification. Second, there is a need for authentication. Without authentication, user identification has no credibility. Without a credible identity (no) security policies can be properly invoked because there is no assurance that proper authorizations can be made." (2) This guideline has been developed `to assist in providing that much needed credibility of user identity by presenting a set of good practices related to the design, implementation and use of password-based user authentication mechanisms. It is intended that features and practices described in this guideline be incorporated into DoD automatic data processing (ADP) systems used for processing classified or other sensitive information. 1.0 SCOPE The security provided by a password system depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In a password-based authentication mechanism implemented on an ADP system, passwords are vulnerable to compromise due to five essential aspects of the password system: 1) a password must be initially assigned to a user when enrolled on the ADP system; 2) a user's password must be changed periodically; 3) the ADP system must maintain a "password database"; 4) users must remember their passwords; and 5) users must enter their passwords into the ADP system' at authentication time. This guideline prescribes steps to be taken to minimize the vulnerability of passwords in each of these circumstances. Specific areas addressed in this guideline include the responsibilities of the system security officer and of users, the functionality of the authentication mechanism, and password generation. The major features advocated in this guideline are: * Users should be able to change their own passwords. * Passwords should be machine-generated rather than user-created. * Certain audit reports (e.g., date and time of last login) should be provided by the system directly to the user. For certain sensitive applications such as Command and Control Systems, pertinent DoD directives should be referenced in order to assess the need for additional identification and authentication features. 2.0 CONTROL OBJECTIVES The CSC-STD-001-83 gives the following as the Accountability Control Objective: "Systems that are used to process or handle classified or other sensitive information must assure individual accountability whenever either a mandatory or discretionary security policy is invoked. Furthermore, to assure accountability, the capability must exist for an authorized and competent agent to access and evaluate accountability information by a secure means, within a reasonable amount of time, and without undue difficulty."(2) In order to attain the individual accountability required, it is necessary for the ADP system to be able to uniquely identify each person who uses it. In many cases, a password scheme will be used to achieve this. The Accountability Control Objective, applied to password systems, leads to the following control objectives for password systems. * Personal Identification Password systems used to control access to ADP systems that process or handle classified or other sensitive information must assure the capability to uniquely identify each individual user of the system. * Authentication Password systems used to control access to ADP systems that process or handle classified or other sensitive information must assure unequivocal authentication of the user's claimed identity. * Password Privacy Password systems must assure, to the extent possible, protection of the password database consistent with protection afforded the classified or other sensitive information processed or handled by the ADP system in which the password systems operate. * Auditing Password systems used to control access to ADP systems that process or handle classified or other sensitive information must be able to assist in the detection of password compromise. 3.0 DEFINITIONS * Access Port A logical or physical identifier that a computer uses to distinguish different terminal input/output data streams. * Expired Password - A password that must be changed by the user before login may be completed. * Password - A character string used to authenticate an identity. Knowledge of the password that is associated with a user ID is considered proof of authorization to use the capabilities associated with that user ID. * Password System - A part of an ADP system that is used to authenticate a user's identity. Assurance of unequivocal identification is based on the user's ability to enter a private password that no one else should know. * System Security Officer (SSO) - The person responsible for the security of an ADP system. The SSO is authorized to act in the "security administrator" role defined in CSC-STD-001-83. Functions that the SSO is expected to perform include: auditing and changing security characteristics of a user. * Trusted Identification Forwarding - An identification method used in networks where the sending host can verify that an authorized user on its system is attempting a connection to another host. The sending host transmits the required user authentication information to the receiving host. The receiving host can then verify that the user is validated for access to its system. This operation may be transparent to the user. * User ID - A unique symbol or character string that is used by an ADP system to uniquely identify a user. The security provided by a password system should not rely on secrecy of the user's ID. 4 4.0 GUIDELINES In the remainder of this document, guidelines for good practice are presented in bold print, while amplifications, examples, and rationale are presented in normal print. The guidelines are given with two degrees of emphasis. Those that are most important to the security of a password system are presented with such wording as "The SSO should ..." (the word "should" is the key), while less critical functions are presented with such wording as "It is recommended that." ("recommended" is the key). Because it is anticipated that diverse user communities will adopt this guideline, all recommendations are presented in general rather than specific terminology, divorced from vendor-specific hardware or system software. Where features require the setting of a specific value (e.g., password maximum lifetime), it is suggested that these be designed as parametric settings leaving the determination of exact values to local security management who understand the particular security requirements of their user environment. It is recommended that, whenever possible, the mechanisms discussed in this guide be automated. Automation will result in a minimal burden on the system administration and on the users, and thus in greater effectiveness of the mechanisms by eliminating situations where passwords might be exposed to people. 4.1 550 Responsibilities 4.1.1 Initial System Passwords Many ADP systems come from the vendor with a few standard user IDs (e.g., SYSTEM, TEST, MASTER, etc.) already enrolled in the system. The System Security Officer (SSO) should change the passwords for all standard user IDs before allowing the general user population to access the system. This can be easily assured if the standard user IDs are initially identified by the system as having "expired" passwords. (See section 4.2.2.1 for discussion of expired passwords.) 4.1.2 Initial Password Assignment The SSO is responsible for generating and assigning the initial password for each user ID. The user must then be informed of this password. In some areas, it may be necessary to prevent exposure of the password to the SSO. In other cases, the user can easily nullify this exposure. 4.1.2.1 Preventing Exposure There are methods that can be implemented to prevent exposure of a password to the SSO after it has been generated. One technique is to print the user's password on a sealed multipart form in such a way that it is not visible on the top page of the form. The SSO would then protect the sealed password appropriately until it could be delivered to the user. In this case, the password is generated randomly by the ADP system and is not known by the SSO. 5 The password should be seated so it is not visible and cannot be made visible without breaking the seal. Delivery of the password in this manner could require several days. Another method of preventing exposure is to have the user present at password generation. The SSO must initiate the procedure and the user must shield the generated password and then remove or erase it from the display. This method cannot be used when user terminals are at remote locations. It is recommended that a technique comparable to one of the above be used to prevent exposing a user's initial password to the SSO. Whatever method is used to distribute passwords, the SSO must receive an acknowledgment of receipt of the password within a specified time period. 4.1.2.2 Nullifying Exposure When a user's initial password must be exposed to the SSO, this exposure may be nullified by having the user immediately change the password by the normal procedure. (Presumably, this change procedure does not expose the new password to the SSO.) When a user's initial password is not protected from exposure to the SSO, the user ID should be identified by the system as having an "expired password" which will require the user to change the password by the usual procedure (see section 4.2.2.3) before receiving authorization to access the system. 4.1.2.3 Classification Assignment Where the password must be classified, the initial classification assignment should be entered by the SSO to designate the highest security level that may be associated with each user's initial password and its successors. 4. 13 Password Change Authorization Occasionally, a user will forget the password or the SSO may determine that a user s password may have been compromised. To be able to correct these problems, it is recommended that the SSO be permitted to change the password of any user by generating a new one. The SSO should not have to know the user's password in order to do this, but should follow the same rules for distributing the new password that apply to initial password assignment (see section 4.1.2). Positive identification of the user by the SSO is required when a forgotten password must be replaced. 6 4. 1.4 Group IDs Throughout the lifetime of an ADP system, each user ID should be assigned to only one person. In other words, no two people may ever have the same user ID at the same time, or even at different times. It should be considered a security violation when two or more people know the password for a user ID (except in the case when the SSO is the other person and the user ID is identified by the system as having an "expired password">. Note that there is no intention of prohibiting alternate forms of user identification (e.g., group IDs,functional titles) for non-authentication purposes (e.g., data access control, mail). If alternate IDs are used, they must be based on user IDs. 4.1.5 User ID Revalidation The SSO should be responsible for the development of a procedure whereby prompt notification is given to the SSO when a user ID and password must be removed from the ADP system (e.g., when an employee leaves the sponsoring organization>. In addition, all user IDs should be revalidated periodically, and information such as sponsor and means of off-line contact (e.g., phone number,mailing address) updated as necessary. It is recommended that this revalidation be done at least once per year. 4.2 User Responsibilities 4.2.1 Security Awareness Users should understand their responsibility to keep passwords private and to report changes in their user status, suspected security violations, etc. To assure security awareness among the user population, it is recommended that each user be required to sign a statement to acknowledge understanding these responsibilities. 4.2.2 Changing Passwords The simplest way to recover from the compromise of a password is to change it. Therefore, passwords should be changed on a periodic basis to counter the possibility of undetected password compromise. They should be changed often enough so that there is an acceptably low probability of compromise during a password's lifetime. To avoid needless exposure of users' passwords to the SSO, users should be able to change their passwords without intervention by the SSO. 4.2.2.1 Password Lifetime The most obvious threat to the security provided by a password system is from the compromise of passwords. The greater the length of time during which a password is used for authentication purposes,the more opportunities there are for exposing it. In a useful password system, the probability of compromise of a password increases during its lifetime. For a period of time, this probability could be considered 7 acceptably low while after a longer period of time, it would be considered unacceptably high. At this latter point, use of the password should be considered suspect rather than a reliable proof of identity. By appropriately limiting the length of time (called the password lifetime) during which a password can be used,the vulnerability of the password can remain acceptable. There should be a maximum lifetime for all passwords. To protect against unknown threats, it is recommended that the maximum lifetime of a password be no greater than 1 year. The presence of known threats may indicate a need for a shorter maximum lifetime. Also, depending on the size of the password space and on how fast a penetrator can execute a login attempt, it may be necessary to change passwords even more frequently. See Appendix C for a discussion of the relationship between password lifetime, password space and the guess rate. A password should be invalidated at the end of its maximum lifetime. It is recommended that, at a predetermined period of time prior to the expiration of a password's lifetime, the user ID it is associated with be notified by the system as having an "expired" password. A user who logs in with an ID having an expired password should be required to change the password for that user ID before further access to the system is permitted. If a password is not changed before the end of its maximum lifetime, it is recommended that the user ID it is associated with be identified by the system as "locked." No login should be permitted to a locked user ID, but the SSO should be able to unlock the user ID by changing the password for that user ID, following the same rules that apply to initial password entry (see section 4.1.2). After a password has been changed, the lifetime period for the password should be reset to the maximum value established by the system. 4.2.2.2 Change Authorization To be consistent with the Password Privacy control objective, users (other than the SSO) should be permitted to change only their own passwords. To ensure this, it is recommended that the user enter the old password and the user ID/password combination be validated as part of the password changing procedure. 4.2.2.3 Change Procedure Changing a password in a secure manner involves several steps. The following procedure is recommended: The procedure should be invoked at the user's request or when a user logs in with an expired password. If the change is necessary due to an expired password, the user should be so informed. The user should be presented with a brief summary of the major steps in changing a password, including a caution that the user should ensure that no one else is watching what the user is doing. Except 8 when the change procedure is part of the login procedure (e.g., logging in with an expired password>, the user's current password should be entered to re-authenticate identity. The change procedure should display a new password for the user. The new password should be different from the old one and should be generated by angenerated by any algorithm that satisfies the specifications in Appendix A. The user should then enter the new password twice so the procedure can verify that the user can consistently enter the password correctly. The new password should be obliterated by techniques such as overprinting or terminal screen erasing. If the two entered passwords are identical to the generated password, the password data base should be updated (i.e., the old password deleted or invalidated andthe new password associated with the user ID) and a message to this effect should be displayed. Failure by the user to correctly enter the current password or the generated password should result in a useful error message to the user and in the change procedure being aborted without changing the password. When the attempt to change an expired password is not successful, the password should be retained as expired and the user given the option to again change the password or logout. An audit record should be generated that indicates whether or not the change was successful. 4.2.3 Login to a Connected System Users should be required to authenticate their identities at "login" time by supplying their password along with their user ID. It is recommended that some form of trusted identification forwarding be used between hosts when users connect to other ADP systems through a network. When trusted identification forwarding is not used, a remote host should require the user's ID and password when logging in through a network connection. Note that user IDs on different hosts for the same user may be different, and that corresponding machine-generated passwords almost certainly will be different. Note also that a password required by a remote host is vulnerable to compromise by the local host or intermediate hosts. 4.2.4 Remembering Passwords Since users must supply their passwords to the ADP system at authentication time, it follows that they must know what their passwords are. It is recommended that users memorize their passwords and not write them on any medium. If passwords must be written,they should be protected in a manner that is consistent with the damage that could be caused by their compromise. See Appendix D for guidance on the protection of passwords. 9 4.3 Authentication Mechanism Functionality 4.3.1 Internal Storage of Passwords It is normally necessary for the ADP system to store internally the user ID for each authorized system user as well as some representation of the password and, when required, the clearance and authorizations that are associated with each user ID. Without some form of access control over this information, it will be possible for unauthorized users to read an-or modify the password database. Unauthorized reading and writing of the password database are a concern. Reading it could result in disclosure of passwords to unauthorized users. Being able to write it could result, for example, in user A changing user B's password so user A could log in under user B's identity. Note that it is necessary for the login process to be able to read the password database and the password changing process to be able to read and write the password database. Stored passwords should be protected by access controls provided by the ADP system, by password encryption, or by both. 4.3.1.1 Use of Access Control Mechanisms Access control mechanisms (e.g., mandatory or discretionary controls as discussed in CSC-STD-001-83) should be used to protect the password data base from unauthorized modification and disclosure. 4.3.1.2 Use of Encryption Encryption of stored passwords should be used whenever the access control mechanisms provided by the ADP system are not adequate to prevent exposure of the stored passwords. It is recommended that password encryption be used even when other access controls are considered adequate, as this helps protect against possible exposure when access controls are bypassed (e.g., system dumps). When encryption is used to protect stored passwords, it is recommended that the algorithm meet the specifications in Appendix B. It is recommended that encryption be done immediately after entry, that the memory containing the plaintext password be erased immediately after encryption, and that only the encrypted password be used in comparisons. There is no need to be able to decrypt passwords. Comparisons can be made by encrypting the password entered at login and comparing the encrypted form with the encrypted password stored in the password database. 4.3.2 Entry Encryption of stored passwords should be used whenever the access control mechanisms provided by the ADP system are not adequate to prevent exposure of the stored passwords. It is recommended that password encryption be used even when other access controls are considered adequate, as this helps protect against possible exposure when access controls are bypassed (e.g., system dumps). When encryption is used to protect stored passwords, it is recommended that the algorithm meet the specifications in Appendix B. It is recommended that encryption be done immediately after entry, that the memory containing the plaintext password be erased immediately after encryption, and that only the encrypted password be used in comparisons. There is no need to be able to decrypt passwords. Comparisons can be made by encrypting the password entered at login and comparing the encrypted form with the encrypted password stored in the password database. Passwords should be entered after providing a user ID to the system. If the entry is correct, the system should then display the date and time of the user's last login. It is recommended that the system not echo passwords that users type in. When the system cannot prevent a password from being 10 echoed (e.g., in a half-duplex connection), it is recommended that a random overprint mask be printed before or after the password is entered, as appropriate, to conceal the typed password. The complete password as entered by the user should be an exact match, character for character, with the user's current password. 4.3.3 Transmission During transmission of a password from a user's terminal to the computer in which the authentication is done, passwords should be protected in a manner that is consistent with the damage that could be caused by their compromise. Since passwords are no more sensitive than the data they provide access to, there is generally no reasonto protect them, during transmission, to any greater degree (e.g.,encryption) than regular data is protected. See Appendix D for guidanceon the protection of passwords. 4.3.4 Login Attempt Rate By controlling the rate at which login attempts can be made (where each attempt constitutes a guess of a password), the number of guesses a penetrator can make during a password's lifetime is limited to a known upper bound. To control attacks where a penetrator attempts many logins through a single access port, the password guess rate should be controlled on a per-access port basis. That is, each access port should be individually controlled to limit the rate at which login attempts can be made at each port. When a penetrator can easily switch among multiple access ports, it is recommended that the password guess rate also be controlled on a per-user ID basis. It is recommended that maximum login attempt rates fall within the range of one per second to one per minute. This range provides reasonable user-friendliness without permitting so many login attempts that an extremely large password space or an extremely short password lifetime is necessary. See Appendix C for a discussion of the relationship between the guess rate, password lifetime, and password space. Note that it is not intended that login be an inherently slow procedure, for there is no reason to delay a successful login. However, in the event of an unsuccessful login attempt, it is quite reasonable to use an internal timer to enforce the desired delay before permitting the next login attempt. The user should not be able to bypass this procedure. 4.3.5 Auditing 4.3.5.1 Audit Trails The system should be able to create an audit trail of password usage and changes. Such an audit trail should not contain actual passwords or character strings that were incorrectly given as passwords, since this could expose the password of a legitimate user who mistyped his user ID or password. Auditableevents should include: successful login, unsuccessful login 11 attempts, use of the password changing procedure, and the locking of a user ID due to its password reaching the end of its lifetime. For each recorded event, the audit record should include: date and time of the event, type of event, offered user ID for unsuccessful logins or actual user ID for other events, and origin of the event (e.g., terminal or access port 11'). Audit records of password changes should also indicate whether or not the change was successful. 4.3.5.2 Real-time Notification to System Personnel It is recommended that each accumulation of 5 consecutiveunsuccessful login attempts from a single access port or against a single user ID results in immediate notification of the event to the ADP system operator or the SSO. While there is no requirement for the SSO or operator to take any action upon receiving the notification, frequent notifications may indicate that a penetration attempt is in progress and may warrant investigation and possible corrective action. 4.3.5.3 Notification to the User Upon successful login, the user should be notified of: * The date and time of user's last login; * The location of the user (as can best be determined) at last login; and * Each unsuccessful login attempt to this user ID since the last successful login. This provides a means for the user to determine if someone else is using or attempting to guess this user ID and password. 4.4 Password Protection 4.4.1 Single Guess Probability The probability that any single attempt at guessing a password will be successful is one of the most critical factors in a password system. This probability depends on the size of the password space and the statistical distribution within that space of passwords that are actually used. Since many user-created passwords are particularly easy to guess all passwords should be machine generated using an algorithm that meets the specifications in Appendix A. 4.4.2 Password Distribution During distribution to the user. passwords should be protected to the same degree as the information to which they provide access.machine-generated passwords should be displayed on the user's terminal at time of change, along with appropriate cautions to the 12 user to protect the password. At the completion of the change procedure, it is recommended that displayed passwords be erased or overstruck, as appropriate for the terminal type. Passwords changed by the 550 should be distributed in a manner that is consistent with the damage that could be caused by their compromise. See Appendix D for guidance on the protection of passwords. 13 APPENDIX A Password Generation Algorithm This appendix describes the requirements to be met by an acceptable password generation algorithm. The issues involved relate to the specifications for password space, random seed generation, pseudo-random number generation and "user- friendly" passwords. A.1 Password Space The size of the password space is a function of the size of the alphabet and the number of characters from that alphabet that are used to create passwords. (The maximum size of the password space can be expressed as 5 A where 5 is the maximum password space, A is the alphabet size and M is the password length.) To determine the minimum size of the password space needed to satisfy the security requirements for an operational environment, equation [3] in Appendix C can be used. The password generation algorithm selected should be able to generate at least that number of passwords. In addition, the generated passwords should be, at a minimum, 6 characters in length. A.2 Random Seeds When a pseudo-random number generator is used in a password generation algorithm, it should accept as input random data that would provide output which has a high degree of unpredictability. This random data (seed) can be derived from a number of available parameters such as a system clock, system registers, date, time, etc. The parameters should be selected to ensure that the number of unique seeds that can be generated from these inputs should be at least equal to the minimum number of passwords that must be generated. When passwords are used to protect classified information, the seed generator should be approved by the DoD Computer Security Center. A.3 Pseudo-Random Number Generator Using a random seed as input, the pseudo-random number generator that drives a password generation algorithm should have the property that each bit in the pseudo-random number that it generates is a complex function of all the bits in the seed. The Federal Data Encryption Standard (DES), as specified in FIPS 46, (9) is an example of a pseudo-random number generator with this property. If DES is used, it is suggested that the 64-bit Output Feedback (OFB) mode be used as specified in FIPS 81 (10). In this case, the seed used as input could consist of: * An initialization vector * A cryptographic key * Plaintext 14 Factors that can be used as input to these parameters are: For the initialization vector: * System clock * System ID * User ID -Date and time For the cryptographic key: * System interrupt registers * System status registers * System counters The plain text can be an external randomly generated 64-bit value (8 characters input by the 550). The resulting pseudo-random number that is output will be the 64 bits of cipher text generated in the 64-bit OFB mode. The password generation algorithm can either format this pseudo-random number into a password or use it as an index (or indices) into a table and use the contents from this table to form a password or a passphrase. A.4 "User-Friendly" Passwords To assist users in remembering their passwords, the password generation algorithm should generate passwords or passphrases that are "easy" to remember. Passwords formed by randomly choosing characters are generally difficult to remember. Passwords that are pronounceable are often easy to remember, as are passphrases that are formed by concatenating real words into a phrase or sentence. 15 APPENDIX B Password Encryption Algorithm Password encryption is advocated as a password protection measure. The algorithm selected for this would be determined by the system environment. Some environments may require that a classified encryption algorithm be used, while for other environments an unclassified algorithm would be required. B.1 Encryption Algorithm A conventional or public key cryptographic algorithm which is configured as a "one-way" encryption algorithm may be used for password encryption, but whatever algorithm is used, the protection the encryption algorithm provides should rely on its complexity. If there is a key that can be used with the algorithm to decrypt passwords, that key should not be stored in the ADP system. B.2 Assurance for Unique Encrypted Passwords If a password encryption system depends only on the password and other fixed information, there is a possibility that two different users will have identical encrypted passwords. A user who discovers another user with an identical encrypted password will then know that the same password will work for both user IDs even if they don't have identical plaintext passwords. To minimize this possibility, it is recommended that the encryption algorithm use the ADP system name (in network environments) and the user's ID as factors in the encryption. (This can be easily accomplished by concatenating the system ID, user ID and password, and then applying the encryption algorithm to the resulting string.) 16 APPENDIX C Determining Password Length The security afforded by passwords is determined by the probability that a password can be guessed during its lifetime. The smaller that probability, the greater the security provided by the password. All else being equal, the longer the password, the greater the security it provides. This appendix reviews the mathematics involved in establishing how long a password should be. The basic parameters that affect the length of the password needed to provide a given degree of security are: L = maximum lifetime that a password can be used to log into the system. P = probability that a password can be guessed within its lifetime, assuming continuous guesses for this period. R = number of guesses per unit of time that it is possible to make. S = password space, i.e., the total number of unique passwords that the password generation algorithm can generate. C.1 Relationship Considering only the cases where S is greater than L x R and therefore P is less than 1, the relationship between these parameters is expressed by the equation: P = L x R [I] A detailed explanation of the derivation of this basic equation is given in Appendix F. C.2 Guess Rate Several factors contribute to the rate at which attempts can be made to gain access to the data on a system when a valid password is not known. First and foremost is the protection given to the password data base itself. If the password data base is unprotected (i.e., can be read by anyone as ordinary data), then "guessing" may not be required. If the password data base can be read. but the passwords are encrypted (see Appendix B), a very high guess rate may be possible by using a computer to try a dictionary of possible passwords to see if ciphertext can be generated that is the same as one in the password data base. A similar situation frequently occurs where only passwords are used to protect files. 16 Finally, if the password data base has effective access controls and the login procedure cannot be bypassed, the guess rate can be controlled by setting limits on the number of login or other attempts that can be made before terminating the connection or process. C.3 Password Lifetime All other things being equal, the shorter the lifetime of a password, the fewer the number of guesses that can be made and thus the greater the degree of password security. As stated in 4.2.2.1, the maximum password lifetime should not exceed one year. C.4 Password Space Password length and alphabet size are factors in computing the maximum password space requirements. Equation [2] expresses the relationship between S, A, and M where: S = password space A = number of alphabet symbols M = password length S = AM [2] To illustrate: If passwords consisting of 4 digits using an alphabet of 10 digits (e.g., 0-9) are to be generated: S = 104 That is, 10,000 unique 4-digit passwords could be generated. Likewise, to generate random 6-character passwords from an alphabet of 26 characters (e.g., AZ): S = 266 That is 3.089 * 108 unique 6-character passwords could be generated. "User-friendly" passwords (sometimes referred to as passphrases) could be generated by using, for example, 3 symbols from an alphabet (dictionary) of 2000 symbols, where each symbol was a pronounceable word of 4, 5, or 6 characters. Using equation [2] and setting: A = 2000 symbols (words) M = 3 Then S = 20003 That is, 8 * 109 unique passwords could be generated where each password was made up of 3 words taken from a dictionary of 2000 words. 19 C.5 A Procedure for Determining Password Length What is important in using passwords is how long to make the password to resist exhaustive penetration attacks. We can do this by using the following procedure: a. Establish an acceptable probability, P, that a password will be guessed during its lifetime. For example, when used as a login authenticator, the probability may be no more than 1 in 1,000,000. In another case, where very sensitive data is involved, the value for P may be set at 10-20. b. Solve for the size of the password space, 5, with the equation derived from equation [1] S = G [3] P where G L x R c. Determine the length of the password, M, from the equation M = log S [4] log (number of symbols in the "alphabet") M will generally be a real number that must be rounded up or down to the nearest whole number. Examples of calculating many of the values described above are given below. C.6 Worked Examples An example shown here is drawn from a real network case. The problem is to determine the needed password length to reduce to an acceptable level the probability that a password will be guessed during its lifetime. The network to which this is applied supports both a 300-baud and a 1200-baud service. Experiments on the network have determined that it is possible to make about 8.5 guesses per minute on the 300-baud service and 14, guesses per minute on the 1200-baud service. (The reason that the "guess rate' for the 1200-baud service is not 4 times that of the 300-baud service is that the system response time, which is not affected by the improved transmission speed, becomes the limiting factor in how many guesses can be accomplished in a given amount of time.) In this example, the arbitrary value of 10-6 is used for the probability (P) of guessing the password in its lifetime. As we will see below, the password lifetime is not the critical factor here as long as the password is changed at least once per year. The statement of the problem is to find a password length that will resist being guessed with a probability of 1 in 106 in 1 year of continuous guesses. When three parameters in equation [1] are known, the fourth value can be found. To find the password space required by our examples, the following parameters are given: 20 L is set for 6 months and 12 months. P is set for 1 in 1,000,000 (acceptable probability of guessing the password). R is set at 8.5 guesses per minute (guess rate possible with 300-baud service). At 8.5 guesses per minute, the number of guesses per day would be 12,240. Substituting 183 days for 6 months then using equation [3], S = G 183x12240 - 2.23992x1012 passwords P -000001 The 12-month value is twice that of the 6-month case. With this data, and using equation [4], we can determine the length of the passwords as a function of the size of the alphabet from which they are drawn. We will assume two alphabet sizes: a 26-letter alphabet and a 36-letter-and-number alphabet. M = log (2.23992 x 1012) 8.72 (for 6-month lifetime) log 26 M = log (4.4676x1012) 8.94 (for 12-month lifetime) log 26 M = log (2.23992x1012) 7.93 (for 6-month lifetime) log 36 M = log (4.4676 x 1012) 8.13 (for 12-month lifetime) log 36 Table 1 presents the results. TABLE 1 MAXIMUM Length of Password LIFETIME (months) 26-Character alphabet 36-Character alphabet 6 9 8 (rounded up from 8-72) (rounded up from 7.93) 12 9 8 (rounded up from 8.94) (rounded down from 8.13) 21 C.7 Passphrases A "passphrase" is a concatenation of words drawn from a dictionary. The dictionary is merely the collection of symbols making up the "alphabet" from which the password is generated. As an example, suppose the passphrase is made up of words drawn from a dictionary of 4, 5 and 6 letter words. There are approximately 3,780 4-letter words, 7,500 5-letter words and 12,000 6-letter words in English. The "alphabet size" for generating passphrases is approximately 23,300. We can compute how many words, drawn at random from the dictionary of 23,300 words, are needed to produce a passphrase that will be resistant to exhaustive attack with the probability of 1 x 10-6. We have to solve for 5 as before, and from that, solve for M, the length of the password (i.e., number of alphabet symbols or words). For L = 12 months, 5=4.4676*1012, log S = 12.6500 For L = 6 months, 5=2.2399*1012, log S = 12.3502 Log 23300 4.3669 Using equation (4) we obtain: For L = 12 months M 12.6500 3 (rounded from 2.89) 4.3669 For L = 6 months M 12.3502 3 (rounded from 2.82) 4.3669 Thus, for the passphrase algorithm described, namely selection at random from a dictionary of 23,300 words, only 3 words are needed in a passphrase to obtain the desired resistance to exhaustive enumeration. In using the algorithm, each word of the phrase is drawn independently from the dictionary. This may result in a word appearing more than once in the passphrase. 23 APPENDIX D Protection Basis for Passwords Passwords are used to prevent people who have physical access to an ADP system from gaining access to data belonging to another user. Thus, a password should be protected in a manner that is consistent with the damage that might be caused by its exposure to someone who has the opportunity to use it (i.e., has physical access to the ADP system terminals). Exposure of a password to someone who is physically prevented from attempting to use it is not a threat. D.1 Systems Containing Only Unclassified Information Although an ADP system may process only unclassified information, it still may require that the data be protected from unauthorized use. Although the password is unclassified, the obligation remains that the user protect this password so that only those with a need-to-know can access the data. D.2 Systems Containing Classified Information Passwords that are used in AD P systems that operate in the dedicated or system high security modes (3) should not be classified, but should be protected to the same degree as For Official Use Only information. In this case, there is no need to classify passwords since access to the area in which the system resides is restricted to those with a clearance as high as the highest classification level of the information processed. A person who obtained a password for a system running in dedicated or system high security mode but who did not possess the proper security clearance would be unable to gain physical access to the system and use the password. For systems operating in the multilevel security mode (3), passwords may or may not have to be classified. When the ability to access classified information is based on the physical protection of the terminal rather than on the identity of the user (i.e., when all terminals are single-level devices), passwords should not be classified, but should be protected to the same degree as For Official Use Only information. There is no need to classify passwords that can only be used on single-level terminals, since physical access to single-level terminals is controlled to the level associated with the terminal. When the ability to access classified information is based on the user's identity and is not restricted by the level of the terminal (i.e., multilevel terminals), each password must be classified to the highest level of the information to which it provides access. When multilevel terminals are used, the system determines the user's access authorizations to classified material based on his identity, and authenticates the identity by requiring a password. Thus. the ADP system can protect the information it processes only to the extent that passwords are protected. For example, a user with a Secret clearance can access Secret information. 24 Compromise of that user's password could result in the compromise of Secret information; therefore, the password would be classified Secret. In the case of a system with multilevel terminals, disclosure of a Top Secret user's password to a Secret user would allow the Secret user to login as the Top Secret user and thus gain access to Top Secret information. Disclosure of Top Secret information to someone with only a Secret clearance can cause exceptionally grave damage to the national security. Since disclosure of the Top Secret user's password could lead to this, the password must be classified Top Secret (5). Note that classified passwords must not be used on terminals that are not authorized for data at the level of the password (e.g., a Top Secret password must not be used on a Secret terminal). The presence of both single-level and multilevel terminals on a system may indicate the need for passwords at each security level. At a minimum, an unclassified password should be available for use on terminals that are only authorized for unclassified data. 25 APPENDIX E Features for Use in Very Sensitive Applications The following features can be used to enhance the security provided by a password system. Because they are somewhat "user-unfriendly," they are recommended for environments only when there is a high threat of password compromise. E.1 One-Time Passwords One-time passwords (i.e., those that are changed after each use) are useful when the password is not adequately protected from compromise during login (e.g., the communication line is suspected of being tapped). The difficult part of using one-time passwords is in the distribution of the new passwords. If a one-time password is changed often because of frequent use, the distribution of new one-time passwords becomes a significant point of vulnerability. There are products on the market that generate such passwords through a cryptographic protocol between the destination host and a hand-held device the user can carry. E.2 Failed Login Attempt Limits In some instances, it may be desirable to count the number of unsuccessful login attempts for each user ID and to base password expiration and user ID locking on the actual number of failed attempts. (Changing a password would reset the count for that user ID to zero.) For example, the password could be identified as expired after 100 failed login attempts, and the user ID locked after 500. 27 APPENDIX F On the Probability of Guessing a Password Appendix C discusses the techniques for finding a password length that will resist exhaustive enumeration over the lifetime of the password with a given probability. This appendix derives the probability of guessing a password during its lifetime. As in Appendix C, we use the parameters: L = password lifetime R = guess rate S = size of the password space P = probability of guessing a password during its lifetime The total number of guesses, (G), that can be made during a password's lifetime is: G = R x L [1] At this point, we need to consider the relation of the size of the password space, 5, to G. Clearly, if 5 is so small that one could try all possible passwords before the lifetime of the password expires, the probability of guessing the password is l. As a result, we consider only cases where 5 is greater than G. The probability question then is, "For the case where 5 is greater than G, what is the probability that in G guesses the password will be guessed?" This is the same as asking the question, "What is the probability that in the lifetime of the password, it will be guessed?" The probability sought is: How many ways one can make G guesses (of S objects) P = that include the password How many different ways one can make G guesses of S objects Note that the probability that is appealed to is of the simplest form. It is derived from the definition of probability that the probability of an event is given by the number of ways the event can happen divided by the number of ways an event can happen or fail. We first observe that the total number of ways one can make G guesses of 5 things is given by sCg (the combinatorial notation that means the number of combinations of "s" things taken "g" at a time). (Lower case letters are used with the combinatorial notation in order to make the expressions more readable.) This is determined by: s! g!(s-g)! Thus, if 5 - A B C,D,E, one could make 3 guesses in 5C3 different ways, 5*4*3*2*1/3*2*1*2*1 10. 28 (Enumerating, they are ABC~ABD,ABE,ACD,ACE,ADE,BCD,BCE,BDE~C~~.) The problem of finding the number of guesses of this total that include a specific password, e.g., an "A", is addressed by considering a reduced set without the specific password and asking how many ways one can make G guesses with the reduced set. Then, the total number of ways to make G guesses that include the specified password is the difference between the two values. This is given by: sCg-(s-1)Cg [2] That is, remove the designated password from the set 5, compute the number of ways of making G guesses without the password, then consider the difference between the two values. If we ask in our example how many ways to make 3 guesses that do NOT include a particular password from the set of 5 (say an "A"), this is given by: 4C3 4*3*2*1/3*2*1*1 = 4 Enumerating for the specific case of an "A", they are BCD,BCE,BDE,CDE. The number of ways to make 3 guesses that include the designated element is 10-4 6. Thus, the probability of guessing a designated password in 3 guesses is 6/10 or 6. Simplification: It is indeed fortuitous that there is a theorem in any number of books on Probability Theory that states: nCr (n-1)C(r-1) + (n-1)Cr [3] This may also be expressed as: nCr- (n-1)Cr (n-1)C(r-1) [4] Substituting s for n and g for r we obtain the expression: (s-1)C(g-1) [5] for the number of ways of making G guesses that include a specific password. Then, the probability that a given password will be guessed during the lifetime of that password is given by: P (s-1)C(g-1) [6] sCg 29 Evaluating this expression gives: (s-1)! (s-1)! P = (g-1)!((s-1)-(g1))! = (g-1)1(s-g)! = g!(s-1)! = g s! s! (g-1)!s! s g!(s-g)! g!(s-g)! This derivation of the probability of guessing a password during its lifetime, i.e., P = G [8] is important in that it allows us to derive the size of the password space S = G [9] P given an acceptable probability of not guessing the password during its lifetime. 30 REFERENCES 1. Brown, R. L. Computer System Access Control Using Passwords, 1985 , Aerospace Corporation, 16 January 1984. 2. DoD Computer Security Center. Department of Defense Trusted Computer System Evaluation Criteria, CSC-STD-00183, 15 August 1983. 3. DoD Directive 5200.28, Security Requirements for Automatic Data Processing (ADP) Systems, revised April 1978. 4. Downey, P. J. Multics Security Evaluation: Password and File Encryption Techniques, ESD-TR-74-193, Vol. III, AD-A045279, AFSC Electronic Systems Division, Hanscom AFB, Mass., June 1977. 5. Executive Order 12356, National Security Information, 6 April 1982. 6. Gasser, M. A Random Word Generator for Pronounceable Passwords, MTR-3006, ESD-TR-75-97, AD-A017676, MITRE Corp., Bedford, Mass.,November 1975. 7. Wood, H.M. The Use of Passwords for Controlled Access to Computer Resources, NBS Special Publication 500-9, U.S. Department of Commerce, National Bureau of Standards, May 1977. 8. National Bureau of Standards. Federal Information Processing Standards Publication 112, Password Usage Standard, 30 May 1985. 9. National Bureau of Standards. Federal Information Processing Standards Publication 46, Data Encryption Standards, 15 January 1977. 10. National Bureau of Standards. Federal Information Processing Standards Publication 81, DES Modes of Operation, 2 December 1980.