By Bryan Jacobson, Linux Technology Center, IBM ( firstname.lastname@example.org).
Emily – thanks so much for the guest blogging opportunity!!
On January 5th, Twitter was hacked. “I am high on crack right now might not be coming into work today” came from the account of Rick Sanchez, CNN Anchor and top 20 Twitterholic. 33 high profile accounts were hacked, including those belonging to Barack Obama, Britney Spears and Bill O’Reilly.
All because a Twitter administrator chose a password susceptible to a dictionary attack. blog.wired.com/27bstroke6/2009/01/professed-twitt.html
There are 22 trillion 8 character alpha-numeric passwords.
But studies of actual passwords have found 20% or more to be guessable. A 2006 analysis of 34,000 MySpace passwords found 4% to be dictionary words, and many others were variations on the user’s name, pop culture references like “blink182”, or just adding a “1” to the end of a word or name. The most common password was: “password1”. schneier.com/essay-144.html.
The prevalence of weak passwords creates an environment where internet worms can replicate and spread. For example, a worm that exploits weak passwords is currently mounting a Distributed Denial of Service attack against DroneBL.org (see dronebl.org/blog/8).
Can’t we just tell everyone to start using good passwords? The list of 500 Worst Passwords illustrates how even when users try to form secure passwords, the result may be guessable: whatsmypass.com/?p=415.
Fortunately, on Linux, the problem of weak passwords is curable, using pam_cracklib, which was written by Cristian Gafton.
By default my Ubuntu (Intrepid Ibex) laptop required 8 character passwords, but allowed “arkansas”, other dictionary words, or even the user’s name.
Loading pam_cracklib was easy. The command “sudo apt-get install libpam-cracklib” both installed the package and configured pam_cracklib in /etc/pam.d/common-password.
Now when I try to set a password to “arkansas” I get: “BAD PASSWORD: it is based on a dictionary word”.
A wide variety of guessable passwords were also rejected with “BAD PASSWORD”, including an explanation of the reason:
“testuser1”: it is based on your user name
“arkansas9”: it is based on a dictionary word
“7ytiruces”: it is based on a (reversed) dictionary word
“12345678”: it is too simplistic/systematic
“blink182”: it is based on a dictionary word
“12121212”: it does not contain enough DIFFERENT characters
I did find a couple guessable passwords that pam_cracklib accepted:
“qwertyui” (from the top row of the keyboard).
“qazwsxed” (from keys on the left size of the keyboard)
These words can be added to the file: /usr/local/share/dict/cracklib and they will also be rejected when the pam_cracklib dictionary is rebuilt overnight.
Bottom line: pam_cracklib can improve your system security and reduce the impact of worms. (You can see other pam_cracklib features at The Linux-PAM System Administrators’ Guide, section 6.2. pam_cracklib – checks the password against dictionary words.)