At SDSC, eliminating plaintext passwords is one of a handful of key strategies we
have implemented which have been quite effective at preventing
intrusions to our hosts.
We manage to support thousands of users, spread out across the planet, without mandating homogeneity of client software or simply not providing service. Our users can remotely access our systems as effectively as they can locally. We could not do so and keep our systems secure without eliminating plaintext passwords.
This stategy and effort to eliminate plaintext passwords came out of several security yearly reviews performed at SDSC from 1994 through 1997. In these reviews, we analyzed all the security events from those years and determined the underlying causes of the problems. It was obvious from these analyses that the easiest and most common way for our user accounts (and hosts) to be compromised was network password sniffers running at the home sites of our thousands of users. In one year (1997), sniffers running at other sites accounted for almost all of our significant security events.
It was plain that something had to be done.
Plaintext Authentication is a Problem
Most commonly used protocols/applications transmit resable passwords in
the clear(plaintext passwords).
Why is this a problem? Because anyone monitoring (eavedropping) on the network tranmission can intercept and use those passwords to gain access to your systems. And most of the intrusions we've seen include the use of a sniffer (eavesdropping software): a intruder will install a sniffer just to see if they can pick up some good passwords while they are in the neighborhood.
Compromise of a user password is on of the most difficult intrusions to detect. When a valid username and password is presented, how does the system know whether or not it is being presented by the actual authorized user? How do you, as a system administrator, know whether or not a particular session belongs to the actual user or an intruder with a stolen password? You might be able to make an inference based on the source of the intrusion, or some pattern of behavior like time of access, but that's prone to error and rather cumbersome to implement.
The best strategy is to prevent interception of passwords in the first place. This can be done in several ways:
(We like number 3.)
The key to eliminating plaintext passwords is realizing that there is no one solution that fixes everything. Instead, we rely on a combination of solutions for the different services we support. In some cases, we support multiple services to allow our users to choose their own client software.
Here is a matrix of the solutions we use:
|All the services for which we provide non-plaintext authentication...|
|Documentation and Tutorials|
Installation and Configuration of...
Literature and Documentation
San Diego Supercomputer Center (SDSC)