'Participating with Safety' index   «   Mobbs' Environmental Investigations   «   FRAW

APC/GreenNet Internet Rights Logo Association for Progressive Communications: 'Participating With Safety'
A series of briefings on information security and on-line safety for civil society organisations

Unit 3. Passwords and Access Controls

Controlling access to information with with words, keys and digital locks

Written by Paul Mobbs for the Association for Progressive Communications, 2002.
© 2002-2008 APC/Paul Mobbs, released under The Gnu Free Documentation License (GFDL), version 1.2.
For further information contact: http://www.fraw.org.uk/mei/ or mei@fraw.org.uk.
For a PDF version of this document, click here.
For a Word version of this document, click here.

This briefing is one of a series on Information Security. It looks at:

A summary of access control

Access control

'Access control' is all about ensuring that information is accessible to those who need it, but not to those who do not. This is not always as straightforward as it seems; being too strict about access can deny information to those need it.

To control access effectively and efficiently you need to think in terms of layers:

So, for example, if your computer can dial in to the Internet, it is a good idea to control who uses it – otherwise someone could use your computer to do things on the Internet in your name. But rather than close the whole computer, all you need to do is set up your Internet services for manual connection, rather than leaving your password on the computer and allowing automatic connections. This way other people can use the computer, but you can control who gets access to the Internet through it.

Classifying data

You should seek to classify data according to its sensitivity; you can then manage access on the basis of the sensitivity of the resources or information concerned, and not solely on the basis of whoever has clearance use the computer.

When considering how to protect the information you hold, remember that access can be controlled by a number of means, but you must always assume that any data held on a computer is vulnerable to disclosure:

You can minimise the likelihood of sensitive information being disclosed, but you cannot, in the face of a determined effort to get access to the information you hold prevent access. For example, a raid by the state will result in you computer, with its encrypted data, being seized, and in many states the failure to turn over the encryption key and password can result in imprisonment. In these circumstances you would have to chose between your liberty and disclosing your most secret information.

In terms of controlling access, this leads to three simple rules:

« back to top »

Passwords and Authentication

Many people do not bother using passwords because the range of passwords can eventually get confusing, and if you make mistakes you are denied access.

Passwords are a means of authenticating access – of proving a permission to undertake some sort of action. There are various forms of authentication in use today:

Computers can use all of these methods. Most non-corporate computers use only passwords, although the technology to allow other forms of authentication can be purchased.

In practice, authentication is only of use where the systems are able to effectively implement controls over access. Under the Windows operating system (Windows 95/98/ME etc.) the evolved standard is that only one password is used to log on to the system, but even then this password can be easily circumvented and full access to the system granted. In this sort of environment the strength of your passwords, or the regularity with which you change them, makes very little difference. You can build in security by other means, but even these additional methods can be circumvented by skilled computer users and computer security experts.

There are other options to improve the security of Windows system; for example, using the password protection for word processor files and the files created by many other office-based applications.

But because Windows does not prohibit the running of new software by any user, people may run programs that can use you own computer's resources to 'crack' (break the security of) your Windows passwords, as well as the passwords used to protect the most popular word processor and other files.

You can buy additional security features for Windows, using a variety of authentication systems, but as this is not standard, and it is designed for the corporate environment, it is expensive.

There are also other proprietary products you can by that provide some extra protection for systems by preventing software being installed, or preventing access to certain areas of the system without a password. But these products have been developed for the business world by computer security companies, and so are expensive.

The most secure, easily available option available for use with a Windows system is encrypting files, or setting up an encrypted area on the hard disk. Programs such as PGP Free can do this (see briefing no.4, Using Encryption and Digital Signatures), and program like this are available free from a number of sources. Using encryption requires the use of a password to access or decrypt files, so providing an additional layer of security.

Keeping the same password for a long period need not be risky provided it is appropriate for that use. On many systems you may have one password for the hardware booting up, another for logging onto your system, and a third/fourth for going online and getting email. Adding to this burden with more unique passwords, and expecting them to be changed often, creates problems for many people.

The need to change passwords is in fact only related to the probability that others can discover them. For example, if you have a very secure computer, unused by others, in an office of your own, you will not need to change passwords very often. But certain passwords, such as the passwords used to access a network (including the passwords used over the network, such as those to access email or shared files), will need to be changed more regularly because they can be extracted from the network by those with the skills to do so.

« back to top »

Using passwords

As we have seen, passwords are inherently insecure in protecting systems. To be useful they must be memorable, but their strength lies in the fact they are not so simple that they can be guessed or extracted by accident from the user.

The strength of a password is dependent upon its length, and the number of characters in the character set available to the user. Most passwords allow upper and lowercase letters, the numbers 0 to 9 and the underscore ('_') character. Some passwords limit the length of the password, whilst others enforce a minimum length. You should try to find out exactly what characters are permitted in the password to ensure you can improve its strength.

The protection given by passwords, particularly on Internet/network connected machines, is reliant on being able to resist mechanised as well as manual cracking attempts and so the greatest number of possible combinations must always be used. Therefore passwords should not be names, dictionary words, or other information that describes publicly available information about you (birth dates, house numbers, friends, partners, etc.).

For example, using only uppercase characters, there are 26 possible options, so a six digit password will have almost 309 million combinations (you can calculate the number of combinations by taking the number of possible characters and raising it to the power of the number of characters in the password). If we use all the possible symbols that can be easily typed on a PC compatible keyboard there are roughly 96 options, making 782 billion 6-letter password combinations. But in practice common words are used as part of the password, reducing the available combinations to only a few tens of thousands, but this can be increased by adding numbers, non-alphabetic characters, or even using words from another language than your native language.

There are many hard and fast rules on passwords, but for most people the work involved in meeting all these rigid rules is too onerous. Most people evolve their own rules, according to the sensitivity of the work they undertake, and the way their computer systems are configured. In general:

« back to top »

Using passwords to improve security

For most computer systems you can use the following tips to improve the security of your system:

Passwords and Linux

Linux provides a far higher level of security than Windows. A user name and password are required to gain access to the system, and even then the access granted is only to the areas of the system permitted to that user. The system protects user accounts by denying access between the information owned by different users, unless the user concerned permits this.

The loading of new software is also not permitted on Linux systems unless you have the passwords for the computer's master or 'root' user. Linux is not totally secure, and for the expert Linux users there are means to circumvent the protection given to users and the controls over the operating system. But compared to the way the most popular versions of Windows operate, it is far more secure.

The level of security means that file passwords are not as important compared to Windows systems – but many programs, such as Star Office, allow you to set them.

For those who might have problems with excessive security, such as young children, Linux systems allow the setting-up password-less accounts using the configuration options open to the root users,. This means that on the same computer you can give irregular users access to the system, as well as giving regular users good security for their data (although, be aware, that it is possible for expert users of Linux to abuse the system from a password-less account).

« back to top »

Free Documentation License:

Copyright © 2001-2008 Association for Progressive Communications (APC) and Paul Mobbs. Further contributions, editing and translation by Karen Banks, Michael de Beer, Roman Chumuch, Jim Holland, Marek Hudema, Pavel Prokopenko and Pep Turro. The project to develop this series of briefings was managed by the Association for Progressive Communications, and funded by OSI.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version (see http://www.gnu.org/copyleft/ for a copy of the license). You can also download the license here.

Please note that the title of the briefing and the 'free documentation license' section are protected as 'invariant sections and should not be modified.

For more information about the Participating With Safety project, or if you have questions about the briefings, contact secdocs@apc.org.

Paul Mobbs/Mobbs' Environmental Investigations Archive – http://www.fraw.org.uk/mei/
© 2002-2008 APC/Paul Mobbs. This document has been released under The Gnu Free Documentation License (GFDL, version 1.2).