CSC-STD-002-85
DEPARTMENT OF DEFENSE
PASSWORD MANAGEMENT
GUIDELINE
Approved for public release;
distribution limited.
12 April 1985
DEPARTMENT OF DEFENSE
COMPUTER SECURITY CENTER
Fort George G. Meade, Maryland
20755
CSC-STD-002-85
Library No. S-226,994
FOREWORD
This
publication, "Department of Defense Password management
Guideline,"
is being issued by the DoD Computer Security Center
(DoDCSC)
under the authority of and in accordance with DoD
Directive
5215.1, "Computer Security Evaluation Center." The
guidelines
described in this document provide a set of good
practices
elated to the use of password-based user authentication
mechanisms
in automatic data processing systems employed for
processing classified and other sensitive information.
Point of
contact concerning this publication is the Office of
Standards
and Products, Attention: Chief, Computer Security
Standards.
Robert L. Brotman 12 April 1985
Director
DoD Computer Security Center
ACKNOWLEDGMENTS
Special recognition is extended to Sheila L. Brand, DoD
Computer
Security Center (DoDCSC), and Jeffrey D. Makey, formerly
DoDCSC,
as principal authors of this publication.
Acknowledgment is also given for the contributions of:
Daniel J.
Edwards, Mary E. Flaherty, Steven J. Padilla, DoDCSC,
John J.
Stasak III, Gregory L. Wessel and Bernard Peters,
Department of
Defense, Col. Roger R. Schell, formerly DoDCSC, and James
P.
Anderson, James P. Anderson & Co, who gave generously
of their
time and expertise in the formulation and review of this
document.
ii
CONTENTS
FOREWORD..................................................... i
ACKNOWLEDGMENTS.............................................. ii
CONTENTS......................................................iii
INTRODUCTION................................................. 1
1.0
SCOPE...........................................................1
2.0 CONTROL
OBJECTIVES..................................... ....2
3.0
DEFINTIONS............................................... 3
4.0
GUIDELINES.............................................. 4
4.1 SSO Responsibilities.................................. 4
4.1.1
Initial System Passwords...............
4
4.1.2
Initial Password Assignment...............
4
4.1.3
Password Change Authorization.............
6
4.1.4
Group IDs................................
6
4.1.5
User ID Revalidation.......................
6
4.2 User
Responsibilities..............................
6
4.2.1
Security Awareness........................
6
4.2.2
Changing Passwords........................
6
4.2.3
Log into a Connected System..................
8
4.2.4
Remembering Passwords....................
8
4.3
Authentication Mechanism Functionality............ 9
4.3.1
Internal Storage of Passwords .............
9
4.3.2
Entry......................................
9
4.3.3
Transmission...............................
10
4.3.4
Login Attempt Rate.........................
10
4.3.5
Auditing....................................
10
4.4 Password
Protection..............................
11
4.4.1
Single Guess Probability..................
11
4.4.2
Password Distribution ......................
11
APPENDIX A:
Password Generation Algorithm................... 13
APPENDIX B:
Password Encryption Algorithm................... 13
APPENDIX C:
Determining Password Length..................... 17
iii
APPENDIX D:
Protection Basis for Passwords.............. 23
APPENDIX E:
Features for Use in Very Sensitive Applications 25
APPENDIX F: On the
Probability of Guessing a Password.....
27
REFERENCES.................................................. 31
iv
INTRODUCTION
In August 1983, the DoD Computer Security Center
published CSC-STD-001-83,
Department of Defense Trusted Computer System Evaluation
Criteria. That
publication defines and describes feature and assurance
requirements for six
hierarchical classes of enhanced security protection for
computer systems that
are to be used for processing classified or other
sensitive information. A
major requirement common to all six classes is
accountability:
"Individual accountability is the key to securing and
controlling
any system that processes information on behalf
of
individuals or groups of individuals. A
number of
requirements must be met in order to satisfy this objective.
"The first requirement is for individual user identification.
Second,
there is a need for authentication.
Without
authentication, user identification has no credibility.
Without
a credible identity (no) security policies can be
properly invoked because there is no assurance that proper
authorizations can be made." (2)
This guideline has been developed `to assist in providing
that much needed
credibility of user identity by presenting a set of good
practices related to
the design, implementation and use of password-based user
authentication
mechanisms. It is
intended that features and practices described in this
guideline be incorporated into DoD automatic data
processing (ADP) systems
used for processing classified or other sensitive
information.
1.0 SCOPE
The security
provided by a password system depends on the passwords being
kept secret at all times.
Thus, a password is vulnerable to compromise
whenever it is used, stored, or even known. In a password-based
authentication mechanism implemented on an ADP system,
passwords are
vulnerable to compromise due to five essential aspects of
the password system:
1) a password
must be initially assigned to a user when enrolled on
the ADP system;
2) a user's
password must be changed periodically;
3) the ADP
system must maintain a "password database";
4) users must
remember their passwords; and
5) users must
enter their passwords into the ADP system' at
authentication time.
This guideline prescribes steps to be taken to minimize
the vulnerability of passwords in each of these
circumstances.
Specific areas
addressed in this guideline include the responsibilities of
the system security officer and of users, the
functionality of the
authentication mechanism, and password generation. The major features
advocated in this guideline are:
* Users
should be able to change their own passwords.
* Passwords
should be machine-generated rather than
user-created.
* Certain audit reports (e.g., date and time
of last login)
should be
provided by
the system directly to the user.
For certain
sensitive applications such as Command and Control Systems,
pertinent DoD directives should be referenced in order to
assess the need for
additional identification and authentication features.
2.0 CONTROL OBJECTIVES
The
CSC-STD-001-83 gives the following as the Accountability
Control Objective:
"Systems that are used to process or handle classified or
other
sensitive information must assure individual
accountability
whenever either a mandatory or discretionary security
policy is
invoked. Furthermore, to assure accountability, the
capability
must exist for an authorized and competent agent to
access and
evaluate accountability information by a secure means,
within a
reasonable amount of time, and without undue difficulty."(2)
In order to
attain the individual accountability required, it is necessary
for the ADP system to be able to uniquely identify each
person who uses it.
In many cases, a password scheme will be used to achieve
this. The
Accountability Control Objective, applied to password
systems, leads to the
following control objectives for password systems.
* Personal
Identification
Password
systems used to control access to ADP systems that process or
handle classified or other sensitive information must
assure the capability to
uniquely identify each individual user of the system.
*
Authentication
Password
systems used to control access to ADP systems that process or
handle classified or other sensitive information must
assure unequivocal
authentication of the user's claimed identity.
* Password
Privacy
Password
systems must assure, to the extent possible, protection of
the password database consistent with protection afforded
the classified or
other sensitive information processed or handled by the
ADP system in which
the password systems operate.
* Auditing
Password
systems used to control access to ADP systems that process or
handle classified or other sensitive information must be
able to assist in the
detection of password compromise.
3.0 DEFINITIONS
* Access Port A
logical or physical identifier that a computer uses to
distinguish different terminal input/output data streams.
* Expired
Password - A password that must be changed by the
user before login may be completed.
* Password - A
character string used to authenticate an identity.
Knowledge of the password that is associated with a user
ID is considered
proof of authorization to use the capabilities associated
with that user ID.
* Password
System - A part of an ADP system that is used to authenticate a
user's identity.
Assurance of unequivocal identification is based on the
user's ability to enter a private password that no one
else should know.
* System
Security Officer (SSO) - The person responsible for the security
of an ADP system.
The SSO is authorized to act in the "security
administrator" role defined in CSC-STD-001-83. Functions that the SSO is
expected to perform include: auditing and changing
security characteristics of
a user.
* Trusted
Identification Forwarding - An identification method used in
networks where the sending host can verify that an
authorized user on its
system is attempting a connection to another host. The sending host transmits
the required user authentication information to the
receiving host. The
receiving host can then verify that the user is validated
for access to its
system. This
operation may be transparent to the user.
* User ID - A
unique symbol or character string that is used by an ADP
system to uniquely identify a user. The security provided by a password
system should not rely on secrecy of the user's ID.
4
4.0 GUIDELINES
In the
remainder of this document, guidelines for good practice are
presented in bold print, while amplifications, examples,
and rationale are
presented in normal print. The guidelines are given with two degrees of
emphasis. Those
that are most important to the security of a password system
are presented with such wording as "The SSO should
..." (the word "should" is
the key), while less critical functions are presented
with such wording as "It
is recommended that." ("recommended" is
the key). Because it is anticipated
that diverse user communities will adopt this guideline,
all recommendations
are presented in general rather than specific
terminology, divorced from
vendor-specific hardware or system software. Where features require the
setting of a specific value (e.g., password maximum
lifetime), it is suggested
that these be designed as parametric settings leaving the
determination of
exact values to local security management who understand
the particular
security requirements of their user environment.
It is
recommended that, whenever possible, the mechanisms discussed in
this guide be automated.
Automation will result in a minimal burden on the
system
administration and on the users, and thus in greater effectiveness
of the mechanisms by eliminating situations where
passwords might be exposed
to people.
4.1 550
Responsibilities
4.1.1 Initial
System Passwords
Many ADP
systems come from the vendor with a few standard user IDs
(e.g., SYSTEM, TEST, MASTER, etc.) already enrolled in
the system. The System
Security Officer (SSO) should change the passwords for
all standard user IDs
before allowing the general user population to access the
system. This can be
easily assured if the standard user IDs are initially
identified by the system
as having "expired" passwords. (See section 4.2.2.1 for discussion of
expired
passwords.)
4.1.2 Initial
Password Assignment
The SSO is
responsible for generating and assigning the initial
password for each user ID. The user must then be informed of this
password.
In some areas, it may be necessary to prevent exposure of
the password to the
SSO. In other
cases, the user can easily nullify this exposure.
4.1.2.1
Preventing Exposure
There are
methods that can be implemented to prevent exposure of
a password to the SSO after it has been generated. One technique is to print
the user's password on a sealed multipart form in such a
way that it is not
visible on the top page of the form. The SSO would then protect the sealed
password appropriately until it could be delivered to the
user. In this case,
the password is generated randomly by the ADP system and
is not known by the
SSO.
5
The
password should be seated so it is not visible and cannot be made
visible without breaking the seal. Delivery of the password in this manner
could require several days.
Another
method of preventing exposure is to have the user present at
password generation.
The SSO must initiate the procedure and the user must
shield the generated password and then remove or erase it
from the display.
This method cannot be used when user terminals are at
remote locations.
It is
recommended that a technique comparable to one of the
above be
used to prevent exposing a user's initial password to
the
SSO. Whatever method is used to
distribute passwords, the SSO
must
receive an acknowledgment of receipt of the password within a
specified time period.
4.1.2.2
Nullifying Exposure
When a
user's initial password must be exposed to the SSO, this
exposure may be nullified by having the user immediately
change the password
by the normal procedure.
(Presumably, this change procedure does not expose
the new password to the SSO.)
When a
user's initial password is not protected from exposure
to the
SSO, the user ID should be identified by the system as
having an
"expired password" which will require the user to
change the
password by the usual procedure (see section
4.2.2.3)
before receiving authorization to access the system.
4.1.2.3
Classification Assignment
Where the
password must be classified, the initial classification
assignment should be entered by the SSO to designate the
highest security
level that may be associated with each user's initial
password and its
successors.
4. 13 Password Change Authorization
Occasionally,
a user will forget the password or the SSO may determine
that a user s password may have been compromised. To be able to correct these
problems, it is recommended that the SSO be permitted to
change the password
of any user by generating a new one. The SSO should not have to know the
user's password in order to do this, but should follow
the same rules for
distributing the new password that apply to initial
password assignment (see
section 4.1.2).
Positive identification of the user by the SSO is required
when a forgotten password must be replaced.
6
4. 1.4 Group IDs
Throughout
the lifetime of an ADP system, each user ID should be
assigned to only one person. In other words, no two people may ever have
the
same user ID at the same time, or even at different
times. It should be
considered a security violation when two or more people
know the password for
a user ID (except in the case when the SSO is the other
person and the user ID
is identified by the system as having an "expired
password">. Note that there
is no intention of prohibiting alternate forms of user
identification (e.g.,
group IDs,functional titles) for non-authentication
purposes (e.g., data
access control, mail).
If alternate IDs are used, they must be based on user
IDs.
4.1.5 User ID
Revalidation
The SSO
should be responsible for the development of a procedure
whereby prompt notification is given to the SSO when a
user ID and password
must be removed from the ADP system (e.g., when an
employee leaves the
sponsoring organization>. In addition, all user IDs should be
revalidated
periodically, and information such as sponsor and means
of off-line contact
(e.g., phone number,mailing address) updated as
necessary. It is recommended
that this revalidation be done at least once per year.
4.2 User Responsibilities
4.2.1 Security
Awareness
Users
should understand their responsibility to keep passwords private
and to report changes in their user status, suspected
security violations,
etc. To assure
security awareness among the user population, it is
recommended that each user be required to sign a
statement to acknowledge
understanding these responsibilities.
4.2.2 Changing
Passwords
The
simplest way to recover from the compromise of a password is to
change it.
Therefore, passwords should be changed on a periodic basis to
counter the possibility of undetected password
compromise. They should be
changed often enough so that there is an acceptably low
probability of
compromise during a password's lifetime. To avoid needless exposure of users'
passwords to the SSO, users should be able to change
their passwords without
intervention by the SSO.
4.2.2.1
Password Lifetime
The most
obvious threat to the security provided by a password
system is from the compromise of passwords. The greater the length of time
during which a password is used for authentication
purposes,the more
opportunities there are for exposing it. In a useful password system, the
probability of compromise of a password increases during
its lifetime. For a
period of time, this probability could be considered
7
acceptably low while after a longer period of time, it
would be considered
unacceptably high.
At this latter point, use of the password should be
considered suspect rather than a reliable proof of
identity. By appropriately
limiting the length of time (called the password
lifetime) during which a
password can be used,the vulnerability of the password
can remain acceptable.
There should be a maximum lifetime for all
passwords. To protect against
unknown threats, it is recommended that the maximum
lifetime of a password be
no greater than 1 year.
The presence of known threats may indicate a need for
a shorter maximum lifetime. Also, depending on the size of the password
space
and on how fast a penetrator can execute a login attempt,
it may be necessary
to change passwords even more frequently. See Appendix C for a discussion of
the relationship between password lifetime, password
space and the guess rate.
A password should be invalidated at the end of its
maximum lifetime. It is
recommended that, at a predetermined period of time prior
to the expiration of
a password's lifetime, the user ID it is associated with
be notified by the
system as having an "expired" password. A user who logs in with an ID having
an expired password should be required to change the
password for that user ID
before further access to the system is permitted. If a password is not
changed before the end of its maximum lifetime, it is
recommended that the
user ID it is associated with be identified by the system
as "locked." No
login should be permitted to a locked user ID, but the
SSO should be able to
unlock the user ID by changing the password for that user
ID, following the
same rules that apply to initial password entry (see
section 4.1.2). After a
password has been changed, the lifetime period for the
password should be
reset to the maximum value established by the
system. 4.2.2.2 Change
Authorization To be consistent with the Password Privacy
control objective,
users (other than the SSO) should be permitted to change
only their own
passwords. To
ensure this, it is recommended that the user enter the old
password and the user ID/password combination be
validated as part of the
password changing procedure.
4.2.2.3 Change Procedure
Changing a password in a secure manner
involves several steps. The
following procedure is recommended:
The
procedure should be invoked at the user's request or
when a
user logs in with an expired password.
If the change is
necessary due to an expired password, the
user should be so
informed.
The user should be presented with a brief summary of
the major steps in changing a password,
including a caution that
the user should ensure that no one else is
watching what the user
is doing.
Except
8
when
the change procedure is part of the login procedure (e.g.,
logging in with an expired password>, the
user's current password
should be entered to re-authenticate
identity. The change
procedure should display a new password for
the user. The new
password should be different from the old
one and should
be generated by angenerated by any algorithm
that satisfies the
specifications in Appendix A. The user should then enter the new
password twice so the procedure can verify
that the user can
consistently enter the password
correctly. The new password
should be obliterated by techniques such as
overprinting or
terminal screen erasing. If the two entered passwords are
identical to the generated password, the
password data base
should be updated (i.e., the old password
deleted or invalidated
andthe new password associated with the user
ID) and a message to
this effect should be displayed. Failure by the user to
correctly enter the current password or the
generated password
should result in a useful error message to
the user and in the
change procedure being aborted without
changing the password.
When the attempt to change an expired
password is not successful,
the password should be retained as expired
and the user given the
option to again change the password or
logout. An audit record
should be generated that indicates whether
or not the change was
successful.
4.2.3 Login to a Connected System
Users should
be required to authenticate their identities at "login"
time by
supplying their password along with their user ID. It is
recommended that
some form of trusted identification forwarding
be used
between hosts when users connect to other ADP systems
through a
network. When trusted identification
forwarding is not
used, a
remote host should require the user's ID and password
when logging
in through a network connection. Note
that user IDs
on different
hosts for the same user may be different, and that
corresponding
machine-generated passwords almost certainly will be
different. Note also that a
password required by a remote host is
vulnerable to
compromise by the local host or intermediate hosts.
4.2.4 Remembering Passwords
Since users
must supply their passwords to the ADP system at
authentication time, it follows that they must know what their passwords
are. It is recommended that users memorize their
passwords and
not write
them on any medium. If passwords must be
written,they
should be
protected in a manner that is consistent with the damage
that could be
caused by their compromise. See Appendix
D for
guidance on
the protection of passwords.
9
4.3 Authentication Mechanism Functionality
4.3.1 Internal Storage of Passwords
It is
normally necessary for the ADP system to store internally the
user ID for each authorized system user as well as some
representation of the
password and, when required, the clearance and
authorizations that are
associated with each user ID. Without some form of access control over this
information, it will be possible for unauthorized users
to read an-or modify
the password database.
Unauthorized reading and writing of the password
database are a concern.
Reading it could result in disclosure of passwords to
unauthorized users.
Being able to write it could result, for example, in user
A changing user B's password so user A could log in under
user B's identity.
Note that it is necessary for the login process to be
able to read the
password database and the password changing process to be
able to read and
write the password database.
Stored
passwords should be protected by access controls provided by
the ADP system, by password encryption, or by both.
4.3.1.1 Use of
Access Control Mechanisms
Access
control mechanisms (e.g., mandatory or discretionary
controls as discussed in CSC-STD-001-83) should be used
to protect the
password data base from unauthorized modification and
disclosure.
4.3.1.2 Use of
Encryption
Encryption of stored passwords should be used whenever the access
control mechanisms provided by the ADP system are not
adequate to prevent
exposure of the stored passwords. It is recommended that password encryption
be used even when other access controls are considered
adequate, as this helps
protect against possible exposure when access controls
are bypassed (e.g.,
system dumps).
When encryption is used to protect stored passwords, it is
recommended that the algorithm meet the specifications in
Appendix B. It is
recommended that encryption be done immediately after
entry, that the memory
containing the plaintext password be erased immediately
after encryption, and
that only the encrypted password be used in
comparisons. There is no need to
be able to decrypt passwords. Comparisons can be made by encrypting the
password entered at login and comparing the encrypted
form with the encrypted
password stored in the password database.
4.3.2 Entry
Encryption of stored passwords should be used whenever the access
control mechanisms provided by the ADP system are not
adequate to prevent
exposure of the stored passwords. It is recommended that password encryption
be used even when other access controls are considered
adequate, as this helps
protect against possible exposure when access controls
are bypassed (e.g.,
system dumps).
When encryption is used to protect stored passwords, it is
recommended that the algorithm meet the specifications in
Appendix B. It is
recommended that encryption be done immediately after
entry, that the memory
containing the plaintext password be erased immediately
after encryption, and
that only the encrypted password be used in
comparisons. There is no need to
be able to decrypt passwords. Comparisons can be made by encrypting the
password entered at login and comparing the encrypted
form with the encrypted
password stored in the password database. Passwords should be entered after
providing a user ID to the system. If the entry is correct, the system should
then display the date and time of the user's last login.
It is
recommended that the system not echo passwords that users type
in. When the system
cannot prevent a password from being
10
echoed (e.g., in a half-duplex connection), it is
recommended that a random
overprint mask be printed before or after the password is
entered, as
appropriate, to conceal the typed password. The complete password as entered
by the user should be an exact match, character for
character, with the user's
current password.
4.3.3 Transmission
During
transmission of a password from a user's terminal to the computer
in which the authentication is done, passwords should be
protected in a manner
that is consistent with the damage that could be caused
by their compromise.
Since passwords are no more sensitive than the data they
provide access to,
there is generally no reasonto protect them, during
transmission, to any
greater degree (e.g.,encryption) than regular data is
protected. See Appendix
D for guidanceon the protection of passwords.
4.3.4 Login Attempt Rate
By
controlling the rate at which login attempts can be made (where each
attempt constitutes a guess of a password), the number of
guesses a penetrator
can make during a password's lifetime is limited to a
known upper bound. To
control attacks where a penetrator attempts many logins
through a single
access port, the password guess rate should be controlled
on a per-access port
basis. That is,
each access port should be individually controlled to limit
the rate at which login attempts can be made at each
port. When a penetrator
can easily switch among multiple access ports, it is
recommended that the
password guess rate also be controlled on a per-user ID
basis. It is
recommended that maximum login attempt rates fall within
the range of one per
second to one per minute.
This range provides reasonable user-friendliness
without permitting so many login attempts that an
extremely large password
space or an extremely short password lifetime is
necessary. See Appendix C
for a discussion of the relationship between the guess
rate, password
lifetime, and password space. Note that it is not intended that login be an
inherently slow procedure, for there is no reason to
delay a successful login.
However, in the event of an unsuccessful login attempt,
it is quite reasonable
to use an internal timer to enforce the desired delay
before permitting the
next login attempt.
The user should not be able to bypass this procedure.
4.3.5 Auditing
4.3.5.1 Audit
Trails
The system
should be able to create an audit trail of password usage
and changes. Such
an audit trail should not contain actual passwords or
character strings that were incorrectly given as
passwords, since this could
expose the password of a legitimate user who mistyped his
user ID or password.
Auditableevents should include: successful login,
unsuccessful login
11
attempts, use of the password changing procedure, and the
locking of a user ID
due to its password reaching the end of its lifetime. For each recorded
event, the audit record should include: date and time of
the event, type of
event, offered user ID for unsuccessful logins or actual
user ID for other
events, and origin of the event (e.g., terminal or access
port 11'). Audit
records of password changes should also indicate whether
or not the change was
successful.
4.3.5.2
Real-time Notification to System Personnel
It is
recommended that each accumulation of 5 consecutiveunsuccessful login
attempts from a single access port or against a single
user ID results in
immediate notification of the event to the ADP system
operator or the SSO.
While there is no requirement for the SSO or operator to
take any action upon
receiving the notification, frequent notifications may
indicate that a
penetration attempt is in progress and may warrant
investigation and possible
corrective action.
4.3.5.3
Notification to the User
Upon
successful login, the user should be notified of:
* The date and time of user's last login;
* The
location of the user (as can best be determined) at last
login; and
* Each
unsuccessful login attempt to this user ID since the
last successful login.
This provides a means for the user to
determine if someone else is
using
or attempting to guess this user ID and
password.
4.4 Password Protection
4.4.1 Single
Guess Probability
The
probability that any single attempt at guessing a password will be
successful is one of the most critical factors in a
password system. This
probability depends on the size of the password space and
the statistical
distribution within that space of passwords that are
actually used. Since
many user-created passwords are particularly easy to
guess all passwords
should be machine generated using an algorithm that meets
the specifications
in Appendix A.
4.4.2 Password
Distribution
During
distribution to the user. passwords
should be protected to the
same degree as the information to which they provide
access.machine-generated
passwords should be displayed on the user's terminal at
time of change, along
with appropriate cautions to the
12
user to protect the password. At the completion of the change procedure, it
is recommended that displayed passwords be erased or
overstruck, as
appropriate for the terminal type. Passwords changed by the 550 should be
distributed in a manner that is consistent with the
damage that could be
caused by their compromise. See Appendix D for guidance on the protection
of
passwords.
13
APPENDIX A
Password Generation Algorithm
This appendix describes the requirements to be met by an
acceptable password
generation algorithm.
The issues involved relate to the specifications for
password space, random seed generation, pseudo-random
number generation and
"user- friendly" passwords.
A.1 Password Space
The size of the
password space is a function of the size of the alphabet and
the number of characters from that alphabet that are used
to create passwords.
(The maximum size of the password space can be expressed
as 5 A where 5 is the
maximum password space, A is the alphabet size and M is
the password length.)
To determine the
minimum size of the password space needed to satisfy the
security requirements for an operational environment,
equation [3] in Appendix
C can be used. The
password generation algorithm selected should be able to
generate at least that number of passwords. In addition, the generated
passwords should be, at a minimum, 6 characters in length.
A.2 Random Seeds
When a
pseudo-random number generator is used in a password generation
algorithm, it should accept as input random data that
would provide output
which has a high degree of unpredictability. This random data (seed) can be
derived from a number of available parameters such as a
system clock, system
registers, date, time, etc. The parameters should be selected to ensure
that
the number of unique seeds that can be generated from
these inputs should be
at least equal to the minimum number of passwords that
must be generated.
When passwords are used to protect classified
information, the seed generator
should be approved by the DoD Computer Security Center.
A.3 Pseudo-Random Number Generator
Using a random
seed as input, the pseudo-random number generator that drives
a password generation algorithm should have the property
that each bit in the
pseudo-random number that it generates is a complex
function of all the bits
in the seed. The
Federal Data Encryption Standard (DES), as specified in FIPS
46, (9) is an example of a pseudo-random number generator
with this property.
If DES is used, it is suggested that the 64-bit Output
Feedback (OFB) mode be
used as specified in FIPS 81 (10). In this case, the seed used as input could
consist of:
* An
initialization vector
* A
cryptographic key
* Plaintext
14
Factors that can
be used as input to these parameters are:
For the
initialization vector:
* System
clock
* System ID
* User ID
-Date and
time
For the
cryptographic key:
* System
interrupt registers
* System
status registers
* System
counters
The plain text
can be an external randomly generated 64-bit value (8
characters input by the 550).
The resulting
pseudo-random number that is output will be the 64 bits of
cipher text generated in the 64-bit OFB mode. The password generation
algorithm can either format this pseudo-random number
into a password or use
it as an index (or indices) into a table and use the
contents from this table
to form a password or a passphrase.
A.4 "User-Friendly" Passwords
To assist users
in remembering their passwords, the password generation
algorithm should generate passwords or passphrases that
are "easy" to
remember.
Passwords formed by randomly choosing characters are generally
difficult to remember.
Passwords that are pronounceable are often easy to
remember, as are passphrases that are formed by concatenating
real words into
a phrase or sentence.
15
APPENDIX B
Password Encryption Algorithm
Password encryption is advocated as a password protection
measure. The
algorithm selected for this would be determined by the
system environment.
Some environments may require that a classified
encryption algorithm be used,
while for other environments an unclassified algorithm
would be required.
B.1 Encryption Algorithm
A conventional or public key cryptographic algorithm
which is configured as a
"one-way" encryption algorithm may be used for
password encryption, but
whatever algorithm is used, the protection the encryption
algorithm provides
should rely on its complexity. If there is a key that can be used with the
algorithm to decrypt passwords, that key should not be
stored in the ADP
system.
B.2 Assurance for Unique Encrypted Passwords
If a password encryption system depends only on the
password and other fixed
information, there is a possibility that two different
users will have
identical encrypted passwords. A user who discovers another user with an
identical encrypted password will then know that the same
password will work
for both user IDs even if they don't have identical
plaintext passwords. To
minimize this possibility, it is recommended that the
encryption algorithm use
the ADP system name (in network environments) and the
user's ID as factors in
the encryption.
(This can be easily accomplished by concatenating the system
ID, user ID and password, and then applying the
encryption algorithm to the
resulting string.)
16
APPENDIX C
Determining Password Length
The security afforded by passwords is determined by the
probability that a
password can be guessed during its lifetime. The smaller that probability,
the greater the security provided by the password. All else being equal, the
longer the password, the greater the security it
provides. This appendix
reviews the mathematics involved in establishing how long
a password should
be.
The basic parameters that affect the length of the password
needed to provide
a given degree of security are:
L = maximum lifetime that a password can be used to log
into the system.
P = probability that a password can be guessed within its
lifetime, assuming
continuous
guesses for this period.
R = number of guesses per unit of time that it is
possible to make.
S = password space, i.e., the total number of unique
passwords that the
password
generation algorithm can generate.
C.1 Relationship
Considering only
the cases where S is greater than L x R and therefore P is
less than 1, the relationship between these parameters is
expressed by the
equation:
P = L x R
[I]
A detailed
explanation of the derivation of this basic equation
is given in Appendix F.
C.2 Guess Rate
Several factors
contribute to the rate at which attempts can be made to gain
access to the data on a system when a valid password is
not known. First and
foremost is the protection given to the password data
base itself. If the
password data base is unprotected (i.e., can be read by
anyone as ordinary
data), then "guessing" may not be required.
If the password
data base can be read. but the passwords
are encrypted (see
Appendix B), a very high guess rate may be possible by
using a computer to try
a dictionary of possible passwords to see if ciphertext
can be generated that
is the same as one in the password data base. A similar situation frequently
occurs where only passwords are used to protect files.
16
Finally, if the
password data base has effective access controls and the
login procedure cannot be bypassed, the guess rate can be
controlled by
setting limits on the number of login or other attempts
that can be made
before terminating the connection or process.
C.3 Password Lifetime
All other things
being equal, the shorter the lifetime of a password, the
fewer the number of guesses that can be made and thus the
greater the degree
of password security.
As stated in 4.2.2.1, the maximum password lifetime
should not exceed one year.
C.4 Password Space
Password length
and alphabet size are factors in computing the maximum
password space requirements. Equation [2] expresses the relationship
between
S, A, and M where:
S = password
space
A = number of
alphabet symbols
M = password
length
S = AM
[2]
To illustrate: If
passwords consisting of 4 digits using an alphabet of 10
digits (e.g., 0-9) are to be generated:
S = 104
That is, 10,000
unique 4-digit passwords could be generated.
Likewise, to
generate random 6-character passwords from an alphabet of
26 characters (e.g.,
AZ):
S = 266
That is 3.089 *
108 unique 6-character passwords could be
generated.
"User-friendly" passwords (sometimes referred to as
passphrases) could be
generated by using, for example, 3 symbols from an
alphabet (dictionary) of
2000 symbols, where each symbol was a pronounceable word
of 4, 5, or 6
characters.
Using equation
[2] and setting:
A = 2000 symbols
(words)
M = 3
Then S = 20003
That is, 8 * 109
unique passwords could be generated where each password was
made up of 3 words taken from a dictionary of 2000 words.
19
C.5 A Procedure for Determining Password Length
What is important
in using passwords is how long to make the password to
resist exhaustive penetration attacks. We can do this by using the following
procedure:
a. Establish an acceptable probability, P, that
a password will be guessed
during its lifetime.
For example, when used as a login authenticator, the
probability may be no more than 1 in 1,000,000. In another case, where very
sensitive data is involved, the value for P may be set at
10-20.
b. Solve for the size of the password space, 5,
with the equation derived
from equation [1]
S = G
[3]
P
where G L x R
c. Determine the
length of the password, M, from the equation
M = log S
[4]
log
(number of symbols in the "alphabet")
M will generally
be a real number that must be rounded up or down to the
nearest whole number.
Examples of calculating many of the values described
above are given below.
C.6 Worked Examples
An example shown
here is drawn from a real network case.
The problem is to
determine the needed password length to reduce to an
acceptable level the
probability that a password will be guessed during its
lifetime.
The network to
which this is applied supports both a 300-baud and a
1200-baud service.
Experiments on the network have determined that it is
possible to make about 8.5 guesses per minute on the
300-baud service and 14,
guesses per minute on the 1200-baud service. (The reason that the "guess
rate' for the 1200-baud service is not 4 times that of
the 300-baud service is
that the system response time, which is not affected by
the improved
transmission speed, becomes the limiting factor in how
many guesses can be
accomplished in a given amount of time.)
In this example,
the arbitrary value of 10-6 is used for the probability (P)
of guessing the password in its lifetime. As we will see below, the password
lifetime is not the critical factor here as long as the
password is changed at
least once per year.
The statement of
the problem is to find a password length that will resist
being guessed with a probability of 1 in 106 in 1 year of
continuous guesses.
When three
parameters in equation [1] are known, the fourth value can be
found. To find the
password space required by our examples, the following
parameters are given:
20
L is set for 6 months and 12 months. P is set for 1 in 1,000,000 (acceptable
probability of guessing the password). R is set at 8.5 guesses per minute
(guess rate possible with 300-baud service).
At 8.5 guesses per minute, the number of guesses per day
would be
12,240.
Substituting 183 days for 6 months then using equation
[3],
S = G 183x12240 -
2.23992x1012 passwords
P -000001
The 12-month value is twice that of the 6-month case.
With this data, and using equation [4], we can determine
the length of the
passwords as a function of the size of the alphabet from
which they are drawn.
We will assume two alphabet sizes: a 26-letter alphabet
and a
36-letter-and-number alphabet.
M = log (2.23992 x 1012) 8.72 (for 6-month
lifetime)
log 26
M = log (4.4676x1012) 8.94 (for 12-month lifetime)
log 26
M = log (2.23992x1012) 7.93 (for 6-month lifetime)
log 36
M = log (4.4676 x 1012) 8.13 (for 12-month
lifetime)
log 36
Table 1 presents the results.
TABLE 1
MAXIMUM Length of Password
LIFETIME
(months)
26-Character alphabet
36-Character alphabet
6 9 8
(rounded up from 8-72) (rounded
up from 7.93)
12 9 8
(rounded up from 8.94) (rounded
down from 8.13)
21
C.7 Passphrases
A
"passphrase" is a concatenation of words drawn from a
dictionary. The
dictionary is merely the collection of symbols making up
the "alphabet" from
which the password is generated. As an example, suppose the passphrase is
made up of words drawn from a dictionary of 4, 5 and 6
letter words. There
are approximately 3,780 4-letter words, 7,500 5-letter
words and 12,000
6-letter words in English. The "alphabet size" for generating
passphrases is
approximately 23,300.
We can compute how many words, drawn at random from the
dictionary of 23,300 words, are needed to produce a
passphrase that will be
resistant to exhaustive attack with the probability of 1
x 10-6.
We have to solve
for 5 as before, and from that, solve for M, the length of
the password (i.e., number of alphabet symbols or words).
For L = 12
months, 5=4.4676*1012, log S = 12.6500
For L = 6 months,
5=2.2399*1012, log S = 12.3502
Log 23300 4.3669
Using equation
(4) we obtain:
For L = 12
months M 12.6500 3 (rounded from 2.89)
4.3669
For L = 6
months M
12.3502 3 (rounded from 2.82)
4.3669
Thus, for the
passphrase algorithm described, namely selection at random
from a dictionary of 23,300 words, only 3 words are
needed in a passphrase to
obtain the desired resistance to exhaustive
enumeration. In using the
algorithm, each word of the phrase is drawn independently
from the dictionary.
This may result in a word appearing more than once in the
passphrase.
23
APPENDIX D
Protection Basis for Passwords
Passwords are used to prevent people who have physical
access to an ADP system
from gaining access to data belonging to another
user. Thus, a password
should be protected in a manner that is consistent with
the damage that might
be caused by its exposure to someone who has the
opportunity to use it (i.e.,
has physical access to the ADP system terminals). Exposure of a password to
someone who is physically prevented from attempting to
use it is not a threat.
D.1 Systems Containing Only Unclassified Information
Although an ADP
system may process only unclassified information, it still
may require that the data be protected from unauthorized
use. Although the
password is unclassified, the obligation remains that the
user protect this
password so that only those with a need-to-know can
access the data.
D.2 Systems Containing Classified Information
Passwords that
are used in AD P systems that operate in the dedicated or
system high security modes (3) should not be classified,
but should be
protected to the same degree as For Official Use Only
information. In this
case, there is no need to classify passwords since access
to the area in which
the system resides is restricted to those with a
clearance as high as the
highest classification level of the information
processed. A person who
obtained a password for a system running in dedicated or
system high security
mode but who did not possess the proper security
clearance would be unable to
gain physical access to the system and use the password.
For systems
operating in the multilevel security mode (3), passwords may or
may not have to be classified.
When the ability
to access classified information is based on the physical
protection of the terminal rather than on the identity of
the user (i.e., when
all terminals are single-level devices), passwords should
not be classified,
but should be protected to the same degree as For
Official Use Only
information. There
is no need to classify passwords that can only be used on
single-level terminals, since physical access to
single-level terminals is
controlled to the level associated with the
terminal. When the ability to
access classified information is based on the user's
identity and is not
restricted by the level of the terminal (i.e., multilevel
terminals), each
password must be classified to the highest level of the
information to which
it provides access.
When multilevel terminals are used, the system determines
the user's access authorizations to classified material
based on his identity,
and authenticates the identity by requiring a
password. Thus. the ADP system
can protect the information it processes only to the
extent that passwords are
protected. For
example, a user with a Secret clearance can access Secret
information.
24
Compromise of that user's password could result in the
compromise of Secret
information; therefore, the password would be classified
Secret. In the case
of a system with multilevel terminals, disclosure of a
Top Secret user's
password to a Secret user would allow the Secret user to
login as the Top
Secret user and thus gain access to Top Secret
information. Disclosure of Top
Secret information to someone with only a Secret
clearance can cause
exceptionally grave damage to the national security. Since disclosure of the
Top Secret user's password could lead to this, the
password must be classified
Top Secret (5).
Note that classified passwords must not be used on
terminals that are not
authorized for data at the level of the password (e.g., a
Top Secret password
must not be used on a Secret terminal). The presence of both single-level and
multilevel terminals on a system may indicate the need
for passwords at each
security level. At
a minimum, an unclassified password should be available
for use on terminals that are only authorized for
unclassified data.
25
APPENDIX E
Features
for Use in Very Sensitive Applications
The following features can be used to enhance the
security provided by a
password system.
Because they are somewhat "user-unfriendly," they are
recommended for environments only when there is a high
threat of password
compromise.
E.1 One-Time Passwords
One-time
passwords (i.e., those that are changed after each use) are useful
when the password is not adequately protected from
compromise during login
(e.g., the communication line is suspected of being
tapped). The difficult
part of using one-time passwords is in the distribution
of the new passwords.
If a one-time password is changed often because of
frequent use, the
distribution of new one-time passwords becomes a
significant point of
vulnerability.
There are products on the market that generate such passwords
through a cryptographic protocol between the destination
host and a hand-held
device the user can carry.
E.2 Failed Login Attempt Limits
In some
instances, it may be desirable to count the number of unsuccessful
login attempts for each user ID and to base password
expiration and user ID
locking on the actual number of failed attempts. (Changing a password would
reset the count for that user ID to zero.) For example,
the password could be
identified as expired after 100 failed login attempts,
and the user ID locked
after 500.
27
APPENDIX F
On the
Probability of Guessing a Password
Appendix C discusses the techniques for finding a
password length that will
resist exhaustive enumeration over the lifetime of the
password with a given
probability. This
appendix derives the probability of guessing a password
during its lifetime.
As in Appendix C, we use the parameters:
L = password
lifetime
R = guess rate
S = size of the
password space
P = probability
of guessing a password during its lifetime
The total number of guesses, (G), that can be made during
a password's
lifetime is:
G = R x L
[1]
At this point, we need to consider the relation of the
size of the password
space, 5, to G.
Clearly, if 5 is so small that one could try all possible
passwords before the lifetime of the password expires,
the probability of
guessing the password is l. As a result, we consider only cases where 5
is
greater than G.
The probability question then is, "For the case where 5 is
greater than G, what is the probability that in G guesses
the password will be
guessed?" This is the same as asking the question,
"What is the probability
that in the lifetime of the password, it will be
guessed?" The probability
sought is:
How many
ways one can make G guesses (of S objects)
P =
that include the password
How many
different ways one can make G guesses of S objects Note that
the probability that is appealed to is of the simplest
form. It is derived
from the definition of probability that the probability
of an event is given
by the number of ways the event can happen divided by the
number of ways an
event can happen or fail.
We first observe that the total number of ways one
can make G guesses of 5 things is given by sCg (the
combinatorial notation
that means the number of combinations of "s" things
taken "g" at a time).
(Lower case letters are used with the combinatorial
notation in order to make
the expressions more readable.) This is determined by:
s!
g!(s-g)!
Thus, if 5 - A B C,D,E, one could make 3 guesses in 5C3
different
ways,
5*4*3*2*1/3*2*1*2*1 10.
28
(Enumerating, they are
ABC~ABD,ABE,ACD,ACE,ADE,BCD,BCE,BDE~C~~.) The problem
of finding the number of guesses of this total that
include a specific
password, e.g., an "A", is addressed by
considering a reduced set without the
specific password and asking how many ways one can make G
guesses with the
reduced set. Then,
the total number of ways to make G guesses that include
the specified password is the difference between the two
values. This is
given by:
sCg-(s-1)Cg
[2]
That is, remove the designated password from the set 5,
compute the number of
ways of making G guesses without the password, then
consider the difference
between the two values.
If we ask in our example how many ways to make 3 guesses
that do NOT include a
particular password from the set of 5 (say an
"A"), this is given by:
4C3 4*3*2*1/3*2*1*1 = 4
Enumerating for the specific case of an "A",
they are BCD,BCE,BDE,CDE.
The number of ways to make 3 guesses that include the
designated element is
10-4 6. Thus, the
probability of guessing a designated password in 3 guesses
is 6/10 or 6.
Simplification:
It is indeed fortuitous that there is a theorem in any
number of books on
Probability Theory that states:
nCr (n-1)C(r-1) + (n-1)Cr
[3]
This may also be expressed as:
nCr- (n-1)Cr (n-1)C(r-1)
[4]
Substituting s for n and g for r we obtain the
expression:
(s-1)C(g-1)
[5]
for the number of ways of making G guesses that include a
specific password.
Then, the probability that a given password will be
guessed during the
lifetime of that password is given by:
P (s-1)C(g-1)
[6]
sCg
29
Evaluating this expression gives:
(s-1)! (s-1)!
P =
(g-1)!((s-1)-(g1))! =
(g-1)1(s-g)! = g!(s-1)!
= g
s! s! (g-1)!s! s
g!(s-g)! g!(s-g)!
This derivation of the probability of guessing a password
during
its lifetime, i.e.,
P = G
[8]
is important in that it allows us to derive the size of
the
password space
S = G [9]
P
given an acceptable probability of not guessing the
password
during its lifetime.
30
REFERENCES
1. Brown, R. L. Computer System Access Control Using
Passwords,
1985 , Aerospace Corporation, 16 January 1984.
2. DoD Computer Security Center. Department of Defense
Trusted
Computer System Evaluation Criteria, CSC-STD-00183, 15
August 1983.
3. DoD Directive
5200.28, Security Requirements for Automatic Data Processing
(ADP) Systems, revised April 1978.
4. Downey, P. J.
Multics Security Evaluation: Password and File Encryption
Techniques, ESD-TR-74-193, Vol. III, AD-A045279, AFSC Electronic Systems
Division, Hanscom AFB, Mass., June 1977.
5. Executive Order
12356, National Security Information, 6 April 1982.
6. Gasser, M. A Random Word Generator for Pronounceable
Passwords, MTR-3006, ESD-TR-75-97, AD-A017676, MITRE
Corp., Bedford,
Mass.,November 1975.
7. Wood, H.M. The Use of Passwords for Controlled Access to
Computer
Resources, NBS Special Publication 500-9, U.S. Department of Commerce,
National Bureau of Standards, May 1977.
8. National Bureau of Standards. Federal Information
Processing
Standards Publication 112, Password Usage Standard, 30
May 1985.
9. National Bureau of Standards. Federal Information
Processing
Standards Publication 46, Data Encryption Standards, 15
January 1977.
10. National
Bureau of Standards. Federal Information
Processing Standards
Publication 81, DES Modes of Operation, 2 December 1980.