19 August,2009 08:14 AM IST | | Balaji Narasimhan
This standard system of ensuring security is flawed
Everywhere one looks at IT, the winds of change are blowing, but one thing has endured for almost half a century the password. In fact, it was in 1961 that MIT's CTSS (Compatible Time-Sharing System) introduced a username and password, perhaps the first system to do so.
While the password system is ubiquitous, it is flawed and an extremely clunky way of securing anything for the following reasons:
>>Length: A password should be longer than 10 characters to be really secure, and many users don't usually choose such long passwords.
>> Strength: To make a password tough, the algorithm that generates it should ensure that it is computationally intensive to break the password. Since computers are getting powerful every day, staying ahead of the race is difficult. Also, users use stuff like their own name, which makes the password weak.
>> Have a peek: Even if you choose a long password and even if the algorithm used to secure the system is armour-plated, all it takes is somebody peeking over your shoulder and seeing what password you are typing to create damage.
Alternatives
Some alternatives include usage of fingerprint and iris scanners, but it is not possible for us to use these things everywhere. Can we equip every computer with an iris scanner or a fingerprint reader? Doubtful.
But, thanks to the proliferation of the mobile phone, we could use the SMS system to authenticate users. This is not foolproof nothing ever is but this adds a layer of security. Think of it as similar to using an ATM machine you need both the ATM card and the pass code.
How it works
The mobile combined with the PC can make the concept of a one-time-password a reality. This is how it could work:
>> Start up: You register for a service and provide a mobile number. Part of this authentication could be done by the snail mail system for example, you could be asked to courier a photocopy of your mobile bill, complete with your address, to sign in.
>> Authentication: Once the formalities are finished, you login with just your ID. The system uses your ID to locate your mobile number and then sends you a password by SMS. This password can only be used once. The next time you login, you will need another password.
Pros and cons
While this can give another level of security, it can be broken if some hacker is clever enough to change the mobile number that the service provider holds so that he gets the password in the SMS, not you. But this system is better than just relying on a password.
It is also irksome to get a new password every time you login, so another alternative could be thought of a 24-hour password. With this system, you get a password when you login for the first time, which is valid for 24 hours. After that, you need a new password.
QUICK TAKE
>>Passwords are not very safe
>>Users don't change them often
>>They are easy to hack
SMSMA? What's that?
In the early 90s, while using a UNIX system at a leading educational institute, I and my pals broke into a UNIX system, which is generally known to be quite strong on safety. One of my friends saw the admin (called root) type a password and logged in as root, getting full powers of the system, but had a problem how to keep a root account for keeps? What if the real root changed the password?
We hit upon an idea we created a user called SMSMA (it stood for nothing, really) and went to the data file for the user (if my memory serves me right, it was /tcb/files/auth/s/smsma) and gave it a user-type of 'root'.
So far so good. But there is a problem the real root could have tracked down this account and made it inoperative anytime by scanning for 'root' users in the /etc/passwd file. The format of this file is:
USERNAME:PASSWORD:UID:GID:COMMENT:HOME_DIRECTORY:SHELL
The fields are separated by a ':' and the third field indicates the user ID. Here, '0' (zero) is reserved for root. The real root could have deleted all entries in the /etc/passwd file (except for his own, of course) which had a '0' in the third field.
To ensure that this didn't happen, we had to edit the /etc/passwd and change the fifth field (which records comments) to "Modi Olivetti maintenance." Since this company was doing the maintenance, nobody touched this account!
