Sniffing Passwords is Easy

From InfoWorld:

She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other's passwords.

She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords.

The vast majority, 41 percent, were HTTP-based passwords, followed by e-mail (SMTP, POP2, IMAP) at 40 percent. The last 19 percent were composed of FTP, ICQ, SNMP, SIP, Telnet, and a few other types.

As a security professional, my friend often attends security conferences and teaches security classes. She noted that the number of passwords she collected in these venues was higher on average than in non-security locations. The very people who are supposed to know more about security than anyone appeared to have a higher-than-normal level of remote access back to their companies, but weren't using any type of password protection.

At one conference, she listened to one of the world's foremost Cisco security experts as his laptop broadcast 12 different log-in types and passwords during the presentation. Ouch!

I am interested in analyzing that password database. What percentage of those passwords are English words? What percentage are in the common password dictionaries? What percentage use mixed case, or numbers, or punctuation? What's the frequency distribution of different password lengths?

Real password data is hard to come by. There's an interesting research paper in that data.

Posted on November 9, 2005 at 2:39 PM • 48 Comments

Comments

Ryan RussellNovember 9, 2005 3:20 PM

Not to plug too hard, but....

If you're interested in that kind of password analysis, then you will love a new book my publisher (Syngress) has coming out Real Soon Now, by Mark Burnett and company. I may end up doing some tech editing for it, so "and company" may technically include me at some point, fair warning.

Fred F.November 9, 2005 3:32 PM

It is intersting that this is being mentioned. The other day, we had class in a hotel ballroom because the University Building was having some work done on it. I got bored so I turned on the sniffer on the wireless, and gave a friend a piece of paper with his POP username and password, and asked him if that meant anything to him. He didn't even recognized it until I told him what it was then you could see the pain in his face.

This is an EMBA class where most of the students are managers and him in particular is an entrepreneur worth a lot of money. He though his emails were secure and private. Now he knows better and is changing providers to one that supports TLS.

He things I am some kind of computer god know. I keep telling him that it didn't require skills close to that. Anyone can do this.

Tom WelshNovember 9, 2005 3:34 PM

"There's an interesting research paper in that data".

True, Bruce, but would it not be illegal to use the data in any way? I think your friend is wise to delete the passwords immediately. Even grabbing the passwords would fall foul of the law in some jurisdictions, I suspect.

AGNovember 9, 2005 3:40 PM

I have currently 19 separate business passwords and ID's. Half of these passwords change every 90 days. Ouch.
I do my best to keep the passwords strong, but I know others are not doing the same.


Short story;
While working at the large software company the common password was various inappropriate iterations of "ITG" since the Internet Technology Group was the password standard, infrastructure group.
The hoop-la was started when ITG secretly ran some hacking tools against the AD and pulled EVERYONE'S password to see how strong they really were.
Of course the ITG person was offended by the passwords and reported it.
A bigger hoop-la started when an Exec was asked to punish the offenders. Instead the Exec said "Why are you purposely hacking AD to pull out passwords?" Opps

Joseph AshwoodNovember 9, 2005 3:53 PM

[Implications that using these passwords is poor security]

I think there's a more reasonable explaination, for at least a small portion of them. Like most people I keep a number of password with varying degrees of entropy. In some very low security locations (the same ones that it would be acceptable to login in the clear) I use dictionary words. One example of this is the login to check the spam catcher of Trust Laboratories, I really couldn't care less if anyone wanted to check that email, and so remembering a significant password would be a waste of time, as would enforcing security on it (it is actually checked over SSL/TLS because everything else there is configured for that as well and it's not worth the time to create an exception). I suspect that you'll find a number of these situations in a number of different locations.

I am extremely security conscious, to the point where the passphrase to some of my most secured information requires typing in octal (obscurity I know, but adding a bit more obscurity to security doesn't hurt). I have these dumb passwords because the data value is so low that it's only protected by virtue of being in the same storage as more important data.

I certainly can't vouch for any claim that "all" of these passwords are a result of this, but I feel certain that we can credit this category with a useful number of them.

Roger WeeksNovember 9, 2005 4:26 PM

"Like most people I keep a number of password with varying degrees of entropy."

If you do this, you're not like most people.
Most people have at the most, one or two passwords that they use for everything: voice mail, ATM pin, website logins, etc.

My mother has a single numeric password she uses for EVERYTHING. I've spent years trying to talk her into using something else for critical accounts like banks, but she doesn't listen.

Most people are like that. Those of us who juggle multiple passwords, set our own algorithms and entropy for passwords, we're not like most people.

gregNovember 9, 2005 4:36 PM

I did have such a database. But I'm not about to get into trouble over this so i will give a board overview.

Context: English Speaking Uni, Physics Dept, Biology and Computer Science Depts.

Here it was all hubs untill very recently, you could sniff everything. Passwd varied a lot between Departments.

Physics: 90% english words (only about 70% have english as a first lang). 5% other langs... 4% common phyiscs constants aka 20th to the 25th digits of Pi.
1% looked "good"

Bio Dept. 95% english words.. 4% had a Number in there. A few bio terms for the rest. In a Deptment of about 3000 ppl, only 4 good passwd were seen.

Computer Science Dept: 30% english words. 10% other langs. 20% words and numbers. the rest looked "good" But almost all trafic sniffed was grad students or higher.

All depts Admin: 100% english words or names.

Ok not that informative: But you should see the stats it got on porn by Deptment!

DavidNovember 9, 2005 4:41 PM

Just a comment that it doesn't have to be a hub. A switch will allow you to do the same thing if you have the right software (ettercap works nice), and some switches don't work quite right anyway and dump data to many ports.

Oh, and what about the security on the switch itself? I wonder how many still have the default password?

Also, if you use some of the Man in the middle type attacks you can even read the secure (SSL, etc) data streams, with very few people being able to detect you.

"Physical" access (being inside a network, and on the same subnet) allows you to do a LOT!

AnonymousCanuckNovember 9, 2005 4:46 PM

Problems like this are why I use a VPN while I am on the road. All Internet bound traffic goes over the VPN to my firewall at home. I use OpenVPN and firewall rules to insure that packets don't leak onto the local network once the VPN is setup. I could probably do the same with IPSec, however I find that the Linux IPSec implementation is a bit of a black box. The interaction between IPSec, iptables, and NAT is not clear. I am the type of person who likes to understand exactly what is going on.

I am not surprised that she collected more passwords at security related confrences and classes. In my experience the number of actual security professionals working in the field of IT security is a rather small percent.

My password policy is almost embarrassing. There is a high level of password reuse and longevity. After conducting my own threat and risk assesment I determined that the risk was not sufficent. There are other safegaurds in place.

Ravi CharNovember 9, 2005 4:49 PM

Are'nt the days of one factor authentication using password numbered in the next few years? Is there any benefit in analyzing the password database?

Lee MorrisNovember 9, 2005 5:04 PM

@Ravi

I think it's important in the sense that it shows that humans are usually still the weakest link in any security system. In the book "security engineering" by Ross Anderson, he mentions a study done on passwords and how likely users were to forget them etc. Plus, I think passwords will be around for a few years yet, they are too widely used and accepted to simply cast out for a new piece of technology.

m0f0kNovember 9, 2005 5:19 PM

Just a side point. i am assuming she actually got permission from the hotel to sniff the network ???

Pat CahalanNovember 9, 2005 6:01 PM

> Just a side point. i am assuming she actually got permission from the hotel to
> sniff the network ???

Why would she need it?

"Sniffing", unless you're actively pushing something onto the network (like, in an attempt to overload an ARP table or something of that nature) is passive. It certainly is in this particular instance.

You're not doing anything other than looking at and logging the packets that your machine is already receiving anyway.

The fact that most people don't pay attention to all the garbage being shouted out on their LAN doesn't mean that the communications aren't there.

It may be impolite... in the same way listening to someone else's conversation at an office party is impolite... but if the subjects are discussing a "secret", it's hardly secret any longer...

NilsNovember 9, 2005 6:52 PM

@greg

can you tell us from what time period this data is from? it might be interesting to compare to current data. one might hope that password quality increased a little with increase in public awareness of cyber crime. but then again..

SNovember 9, 2005 7:25 PM

Nitpick:

"The vast majority, 41 percent..." Last I checked, a majority was over 50 percent. A "vast majority" would be well over 50 percent.

"...Roger A. Grimes is a computer security veteran and author who has done consulting work for many Fortune 500 companies." I'm beginning to understand why he's a journalist.

Lee MorrisNovember 9, 2005 7:35 PM

@ S

It could be classed as a majority if there were 15 possible cases, each with only 8 or 9%, then something with 41% would be classed as a majority....i guess.

elegieNovember 9, 2005 8:11 PM

There are various Web sites that do not use SSL for their logins. The cost of an SSL certificate might be expensive, particularly for a smaller entity. Some would say that unauthorized access to a database is a greater concern than sniffing of network data. Even with SSL, it is certainly possible to overlook insecure storage of data. However, sensitive data (i.e., SSNs) should not be sent over an unencrypted connection! A problem could arise if the same password is used with a secure connection and also with an unsecure sniffable connection.

The SMTP and POP3 protocols support SSL encryption, but it is not always enabled. Perhaps some services should require the use of secure connections. Of course, the client software has to support encryption.

Policies can require passwords to have a certain minimum length, to contain numbers and special characters, or even to expire at intervals with no ability to be reused. However, this can cause difficulty for inexperienced users who have to choose a password. It also does not prevent one password from being used for multiple logins.

David McNettNovember 9, 2005 10:03 PM

At a previous job I set up an automated system to do this, with Dug Song's dsniff stuff running on a host, sniffing for unencrypted traffic and then "shaming" users (with enough information elided to reduce the risks) on a public terminal that displayed in real time the captured passwords.

I'm also reminded of a more manual implementation from the 2000 BSD conference in Monterey. Also a group of people who ought to know better.

billNovember 9, 2005 10:17 PM

David: There's a shaming board running in the network area at Supercomputing every year with the passwords they pull off their public networks. I've seen it since at least 2000.

Matthew X. EconomouNovember 9, 2005 10:26 PM

I keep meaning to fire up ARP poison routing on my cable Internet connection, after I ran tcpdump (for troubleshooting purposes) and noticed my fellow residents' computers ARPing for the gateway's MAC address. The only thing keeping me from doing serious damage, er, "research", is the fact that my lone Linux box is the WRT54GS access point/firewall itself, so there really isn't any practical way to store the results of my trolling.

JamesNovember 10, 2005 1:19 AM

I wonder what proportion of the HTTP passwords were worthless from the point of view of the persons either ignorant of sniffing or blithely ignoring that they could be sniffed. For example, I have "passwords" for access to many publically accessible web sites that require registration, but I have absolutely no concern about anyone sniffing those, since I view such passwords as mainly a nuisance the web site insists upon for visitor tracking, rather than a true password.

ARLNovember 10, 2005 7:16 AM

*Instead the Exec said "Why are you purposely hacking AD to pull out passwords?" Opps*

Password audits are not uncommon. I guess this exec may not have been up to speed or maybe the practice was not documented in policy?

Last password audit I was a part of at a large company got about 80% - 90% of the results in about 10 minutes. The rest held up to brute force for days.

J. Alex UrbanowiczNovember 10, 2005 8:02 AM

I have semi-funny anecdote apropos password cracking audits. I once worked as sysadmin at academic computing center. While doing some general hardening, I pulled passwd out of the NIS and ran crack(1) on it. Seconds later, BINGO! the Uberadmin's password comes out. Then we have the dialogue:

Me: Mirek, your password just came out as one of the early results in crack run!

Him: but this is a good password! [it looked good]

Me: sure, but crack found it easily. Never mind if it is good or bad, it is crackable.

Him: but this is a good password!

As far as I know he never changed it. But he forced site transition from NIS to LDAP.

And this was the password that could login you anywhere, including the Crays...

KronNovember 10, 2005 8:09 AM


To add slightly to greg's data:

I once dumped the password file once of a university computer but never got the chance to really analyze the results (it was a long time ago when I/O wasn't so easy, and it was a _long_ printout).

But I do remember the impression was that strong passwords were virtually non-existant; you could see that many accounts still had a lame, default-per-department password, and most passwords were common names or words.

Alexandre CARMEL-VEILLEUXNovember 10, 2005 9:36 AM

I remember a few years ago, one of my friends explained to me the "Bunny Principle":

In any sufficiently large password file, someone will use the word "bunny" as password. It worked for ISPs, large companies which didn't have systems in place to enforce strong passwords and Universities. Back then, most small companies just didn't have any passwords... Silly all Windows 95 networks and all.

JDONovember 10, 2005 9:50 AM

Back when I was in the Marines, in 3rd FSSG in 1999 the G6 (sys-admins) had the Win NT server passwords decoded and forced everybody to use long passwords with upper and lower case, numerals and special characters, and to change the password every 2 months. When the passwords were decoded many were english words, many had curse words in them. The curse words were banned as passwords.

RichNovember 10, 2005 11:03 AM

There was a paper in the old BSD manuals that as I recall said something like 1/3:1/3:1/3 for passwords, 'good', 'crackable' and 'dictionary', based on a survey that led to crypt. Using that, I asked a class of 20 or so 3rd year computer science students in an operating systems design class to each make up a password. Not their own, but same 'style'. It pretty much fit the 1/3:1/3:1/3 ratio. That was in '87, I think.

GeneNovember 10, 2005 12:58 PM

So, after reading an article about sniffing enencrypted passwords, why is everyone going on about what makes a good password?

Wasn't the article trying to point out that under a sniffable system, all passwords are weak? In a security system, we have to remember that the chain is never stronger than its weakest link.

gregNovember 10, 2005 1:42 PM

@Nils

That data was from 2000-2002. Also I should have noted that there are quite a few passwd "colisions" ie people with the same password.

KenNovember 10, 2005 2:50 PM

41% is not a majority, no matter how small the other segments are. A majority is "The greater number or part; a number more than half of the total." The 41% would be considered a plurality, not a majority.

Besides which, according to the article, the next-smallest segment was email at 40%. So there's no "vast" about it.

Ari HeikkinenNovember 10, 2005 3:36 PM

Would be pretty silly to login from a remote network without using either SSH or https links.

Davi OttenheimerNovember 10, 2005 4:23 PM

"Real password data is hard to come by."

Odd, since that comment is the opposite of what the article is stating.

Good suggestion to test passwords. Most security practitioners should be doing this regularly, but it is hardly the sort of information that is shared (obscurity, you know). I mean I can tell you the percentage of dictionary words, pet names, etc. on any system I have audited.

Wifi, OTOH does raise the interesting point that there are people who poison the air (mischeviously, maliciously, or accidentally) with bogus credentials. How would you differentiate from legitimate access if you are just passively collecting them? For example, people who sit idly and glom onto others' WiFi signals may at some point try and use the credentials they have stolen. Would these streams of brute-force attempts be considered part of the password database?

Trust me, if you've ever sat in a busy "hotspot" you will see so many passwords pinging your system that you couldn't possibly know without testing if you are seeing real or just fat-fingered dictionary words made into gibberish by accident. That being said, a guy I know of (for lack of a better description) became very adept at filtering out T-Mobile credentials and instantly applying them in order to avoid paying for the service himself.

Davi OttenheimerNovember 10, 2005 4:36 PM

Incidentally, the point that "one of the world's foremost Cisco security experts as his laptop broadcast 12 different log-in types and passwords during the presentation" strikes me as very odd.

Earlier in the article we are told "other than a few simple validity reviews and summary counts, my friend doesn’t look at the log-in names or passwords".

I use Cain myself, and I am wondering how exactly someone would notice "12 different log-in types and passwords" without actually looking at them? My guess is she was either looking at SSIDs (no big deal, they're always public even if you try to "hide"), protocols (nothing unique to wi-fi there, as Ari mentioned), or log-in names. Could it be something else?

MindshareNovember 11, 2005 1:57 AM

I would agree that there is an interestingpaper in her data. I think another big question would be if she could be held liable for the release of that information if her system was compromised...and what would that say about her as an example of access to a system...

Also isn't the complexity of a password and its ability to be hacked/cracked related to the amount of time it would take to determine the password versus the amount of time the hacker is willing to spend to obtain the password? I see it the same as why small bills are forged versus larger ones..yes the larger bills can potentially provide a better payout, but the smaller ones are much easier to get, duplicate and so on with less alarms attached.

Matthew X. EconomouNovember 11, 2005 10:14 AM

Just a quick update. Ran arpspoof and dsniff on my firewall the other day, only to have my cable company blackhole my MAC address. It's nice to see that somebody at the cable ISP is on the ball.

Matthew X. EconomouNovember 11, 2005 10:16 AM

Just a quick update. Ran arpspoof and dsniff on my firewall the other day, only to have my cable company blackhole my MAC address. It's nice to see that somebody at the cable ISP is on the ball.

AnonymousNovember 13, 2005 4:56 AM

Sure, we all use SSH or SSL whenever we can, but sometimes there's no choice. The basic problem is that it is still too darn hard (too expensive for the little guy, and too cumbersome for the corporate developer) to get SSL certs, so there are a lot of websites out there which i want to use but that don't have them. So sometimes i am *forced* to send plaintext passwords even though it makes me nervous (of course, i only use that password for that one site.)

But i have great hopes for these guys:
http://cert.startcom.org/
Pros: genuinely free SSL certs, out of the goodness of their hearts, because the web needs it.
Cons: in order to make this possible, they don't verify real world IDs, only that you do really control the domain for which the cert is issued.

I'm not sure what the best answer is here. We all know that a lot of users will think that a lock icon beneath a URL of https://www.bigbank.com is proof positive that they are talking to Big Bank Inc. of Someplace, USA when what it really means is that you are talking to a server that was trusted by the owner of the bigbank.com domain name (well, probably with a few extra indirections added if it really is a big bank). But so long as people try to insist on the former interpretation (which is really somewhat hard to verify), most sites will have no SSL cert at all, and traffic will be unencrypted.

StartCom's solution to this is that they have two CA certs, which correspond to different meanings from the signature. One just means you're the domain owner (these certs are free), the other means they saw your passport and your corporate licensing documents and checked the latter against various registries (these certs cost money). Alas, none of this will be apparent to the user unless he drills into the security properties for the page. Maybe what we need is a formal standard for different semantics of signature, and browsers that clearly display the difference between them.

cj maxwellNovember 13, 2005 12:51 PM

I'm far from expert in this area, but do try to not be stupid in public. While I've come up with a system that I can tolerate that *seems* to agree with the rules for strong passwords, I really don't have any information that would let me know if it's worth a damn or not.
My system is that I use the designations of items of military hardware with which I have some knowledge. This gives the combination of numbers and both upper and lower case letters and a few special characters-e.g.*M1918a4* or *SMLE Mk3* * damnit the asterisk after the 3 is part of the designation- and I can tack photos of the current items in plain view of the world with little worry of the picture giving things away.
But is it really any more secure than *bunny*??
Any feedback would be much welcome.

RogerNovember 13, 2005 4:51 PM

@cj maxwell:
"But is it really any more secure than *bunny*??"

Not any more 8^)

More seriously, what you're basically doing is gambling that a dictionary based attack won't have terms like this in its dictionary. If the attacker is unknown to you then there's a chance you're right but it's far from certain. On the other hand if the attacker already knows anything about you, or can guess your military interests from the domain he's attacking, then it's a cinch that the attack list will include every item from the JSP Glossary, thousands of items of military slang and every item of military hardware from every country in the world. Since all of that lot will only amount to a few hundred thousand words, it will only take a few seconds to work through it (assuming an off-line attack is possible), so then the cracking program will try them backwards, lowercased, uppercased, combinations of the above and then start with random applications of the shift key, e.g. so that M1918a4* becomes m!91*A$8. By this time he will have expended about 5 ~ 30 minutes, depending on the power of his computer, and will think about leaving the really heavy analysis to run overnight.

Short answer: DON'T use low entropy passwords, especially not ones with an obvious association to you.

The best current advice for choosing a strong shortish password which is easy to remember, is this: make up a little phrase of nonsense, then contract it to the required length by taking first letters (unless some internal letter looks more interesting), leaving in punctuation and numbers where they occur. Nowdays the result needs to be _at least_ 10 characters. For example:
"I went to the Boar's Head and had 7 pints of Old Speckled Hen." --> iw2tB'sH&h7poOSpkH
There's an 18 character password with mixed case, digits, punctuation, and no dictionary words, yet you can probably memorise it in under a minute. To the best of anyone's knowledge, there is no way to exploit the fact that there is an underlying phrase, except slightly weighting for letters that are more likely to start words (even with that weighting, it's strong).

Oh, and finally: this article wasn't really about choosing strong passwords, although it drifted into it. The point is that if your password is sent unencrypted over an insecure network, then it doesn't matter how strong it is. Most wired networks and nearly all wireless networks are insecure.

Davi OttenheimerNovember 14, 2005 1:56 AM

Well, I was wandering around with an 80% dictionary attack number stuck in my head (too many l0phtcrack reports, perhaps), when I decided to see if I could actually find some published data.

There are a few minor articles that say a 30% dictionary attack is typical, with 5-10% username attack, but they never produce a compelling breakdown to make their numbers convincing.

Then I happened to find a paper from the 1990 2nd USENIX Security Workshop called "Foiling the Cracker: A Survey of, and Improvements to, Password Security":

http://www.klein.com/dvk/publications/passwd.pdf

13,797 accounts were tested from around the world. Note page seven and eight for a breakdown on length and type of passwords:

"The results are quite disheartening. The total size of the dictionary was only 62,727 words (not counting various permutations). This is much smaller than the 250,000 word dictionary postulated at the beginning of this paper, yet armed even with this small dictionary, nearly 25% of the passwords were cracked!"

User name 2.7%
Common name 4.0%
Female names 1.2%
Phrases and patterns 1.8%
Dictionary words 7.4%

And so on...an excellent paper. I highly recommend it, especially since it underscores the extant body of knowledge regarding password cracking.

Davi OttenheimerNovember 14, 2005 2:23 AM

Incidentally, it looks like the final data was actually a revision for a paper at the 14th DoE Computer Security Group, in May 1991 (same reference as above):

6 characters 1160 34.7%
7 characters 813 24.4%
8 characters 780 23.4%

I find these numbers surprising since it seems very similar to today's stats. Best practices have struggled to get beyond the six characters mark for years (partly due to system limitations, but mostly due to user resistance with an eight character minimum).

Before we can draw too many conclusions about length, however, we have to consider the relationship between the age of the systems, the experience of the administrators, and the skill of the users.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..