FIREWALLS

Introduction To Firewalls

Introduction

A firewall is simply a system designed to prevent unauthorised access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorised Internet users from accessing private networks connected to the Internet. All data entering or leaving the Intranet pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside world. This helps prevent "hackers" from logging into machines on your network. More sophisticated firewalls block traffic from the outside to the inside, but permit users on the inside to communicate a little more freely with the outside.

Firewalls are also essential since they can provide a single block point where security and audit can be imposed. Firewalls provide an important logging and auditing function; often they provide summaries to the admin about what type/volume of traffic that has been processed through it. This is an important point: providing this block point can serve the same purpose (on your network) as a armed guard can (for physical premises).

Theoretically, there are two types of firewalls:

1. Network layer

2. Application layer

They are not as different as you may think, as described below.

Which is which depends on what mechanisms the firewall uses to pass traffic from one security zone to another. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that higher-level layers depend on. The important thing to recognize is that the lower-level the forwarding mechanism, the less examination the firewall can perform.

Network layer firewalls

This type generally makes their decisions based on the source address, destination address and ports in individual IP packets. A simple router is the traditional network layer firewall, since it is not able to make particularly complicated decisions about what a packet is actually talking to or where it actually came from.Modern network layer firewalls have become increasingly more sophisticated, and now maintain internal information about the state of connections passing through them at any time.

One thing that's an important difference about many network layer firewalls is that they route traffic directly though them, so to use one you either need to have a validly assigned IP address block or to use a private internet address block. The network layer firewalls tend to be very fast and tend to be mostly transparent to its users.

Application layer firewalls

These generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and examination of traffic passing through them. Since proxy applications are simply software running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one side and out the other, after having passed through an application that effectively masks the origin of the initiating connection.

Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application layer firewalls are not particularly transparent to end-users and may require some training. However more modern application layer firewalls are often totally transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.

The Future of firewalls sits somewhere between both network layer firewalls and application layer firewalls. It is likely that network layer firewalls will become increasingly aware of the information going through them, and application layer firewalls will become more and more transparent. The end result will be kind of a fast packet-screening system that logs and checks data as it passes through.

Firewall Topologies

Introduction

In this section we are going to talk about the different ways a firewall can be set up. Depending on your needs, you can have a very simple firewall setup which will provide enough protection for your personal computer or small network, or you can choose a more complicated setup which will provide more protection and security.

Let's have a look starting from the simple solutions, and then move on to the more complicated ones. Just keep in mind we are not talking about a firewall which is only a piece of software which runs on the same computer you use to connect to the internet and do your work, but we are talking about a physical computer which is a dedicated firewall.

A Simple Dual-Homed Firewall

The dual-homed firewall is one of the simplest and possibly most common way to use a firewall. The Internet comes into the firewall directly via a dial-up modem (like me :) ) or through some other type of connection like an ISDN line or cable modem. You can't have a DMZ (See the DMZ page for more info) in this type of a configuration.

The firewall takes care of passing packets that pass its filtering rules between the internal network and the Internet, and vice versa. It may use IP masquerading and that's all it does. This is known as a dual-homed host. The two "homes" refer to the two networks that the firewall machine is part of - one interface connected to the outside home, and the other connected to the inside home.

This particular setup has the advantage of simplicity and if your Internet connection is via a modem and you have only one IP address, it's what you're probably going to have to live with unless you create a more complex network like the one we are going to talk about.

A Two-Legged Network with a full exposed DMZ

In this more advanced configuration, shown in the picture below, the router that connects to the outside work is connected to a hub (or switch).

Machines that want direct access to the outside world, unfiltered by the firewall, connect to this hub. One of the firewall's network adapters also connects to this hub. The other network adapter connects to the internal hub. Machines that need to be protected by the firewall need to connect to this hub. Any of these hubs could be replaced with switches for added security and speed, and it would be more effective to use a switch for the internal hub.

There are good things about the exposed DMZ configuration. The firewall needs only two network cards. This simplifies the configuration of the firewall. Additionally, if you control the router you have access to a second set of packet-filtering capabilities. Using these, you can give your DMZ some limited protection completely separate from your firewall.

On the other hand, if you don't control the router, your DMZ is totally exposed to the Internet. Hardening a machine enough to live in the DMZ without getting regularly compromised can be tricky.

The exposed DMZ configuration depends on two things: 1) an external router, and 2) multiple IP addresses.

If you connect via PPP (modem dial-up), or you don't control your external router, or you want to masquerade your DMZ, or you have only 1 IP address, you'll need to do something else.There are two straightforward solutions to this, depending on your particular problem.

One solution is to build a second router/firewall. This is useful if you're connecting via PPP. One machine is the exterior router/ firewall (Firewall No.1). This machine is responsible for creating the PPP connection and controls the access to our DMZ zone. The other firewall (Firewall No.2) is a standard dual-homed host just like the one we spoke about at the beginning of the page, and its job is to protect the internal network. This is identical to the situation of a dual homed firewall where your PPP machine is the local exterior router.

The other solution is to create a three-legged firewall, which is what we are going to talk about next.

The Three-legged firewall

This means you need an additional network adapter in your firewall box for your DMZ. The firewall is then configured to route packets between the outside world and the DMZ differently than between the outside world and the internal network. This is a useful configuration, and I have seen many of our customers using it.

The three-legged setup can also give you the ability to have a DMZ if you're stuck with the simple topology outlined first (dual homed firewall). Replace "router" with "modem," and you can see how this is similar to the simple topology (dual homed firewall), but with a third leg stuck on the side :)

If you're being forced or have chosen to IP masquerade, you can masquerade the machine or machines in the DMZ too, while keeping them functionally separate from protected internal machines. People who have cable modems or static PPP connections can use this system to run various servers within a DMZ as well as an entire internal network off a single IP address. It's a very economic solution for small businesses or home offices.

The primary disadvantage to the three-legged firewall is the additional complexity. Access to and from the DMZ and to and from the internal network is controlled by one large set of rules. It's pretty easy to get these rules wrong if you're not careful !

On the other hand, if you don't have any control over the Internet router, you can exert a lot more control over traffic to and from the DMZ this way. It's good to prevent access into the DMZ if you can.

And I think that just about completes our discussion of Firewall Topologies !

The DMZ Zone

Introduction

The De-Militarized Zone, or DMZ, is an expression that comes from the Korean War. There, it meant a strip of land forcibly kept clear of enemy soldiers. The idea was to accomplish this without risking your own soldiers' lives, thus mines were scattered throughout the DMZ like grated Romano on a plate of fettucine :) The term has been assimilated into networking, without the cheese :)

Network geeks use it to mean: "a portion of your network which, although under your control, is outside your heaviest security." Compared to the rest of your network, machines you place in the DMZ are less protected, or flat-out unprotected, from the Internet.

Once a machine has entered the DMZ, it should not be brought back inside the network again. Assuming that it has been compromised in some way, bringing it back into the network is a big security hazard.

Use of the DMZ

If you decide to build one, what do you do with it? Machines placed in the DMZ usually offer services to the general public, like Web services, domain name services (DNS), mail relaying and FTP services (all these buzzwords will be explained next). Proxy servers can also go in the DMZ. If you decide to allow your users Web access only via a proxy server, you can put the proxy in the firewall and set your firewall rules to permit outgoing access only to the proxy server.

As long as you've attended to the following points, your DMZ should be ok:

If you put a machine in the DMZ, it must be for a good reason. Sometimes, companies will set up a few workstations with full Internet access within the DMZ. Employees can use these machines for games and other insecure activities. This is a good reason if the internal machines have no Internet access, or extremely limited access. If your policy is to let employees have moderate access from their desktops, then creating workstations like this sends the wrong message. Think about it: The only reason why they would use a DMZ machine is if they were doing something inappropriate for the workplace !

It should be an isolated island, not a stepping stone. It must not be directly connected to the internal network. Furthermore, it shouldn't contain information that could help hackers compromise other parts of the network. This includes user names, passwords, network hardware configuration information etc.

It must not contain anything you can't bear to lose. Any important files placed on the DMZshould be read-only copies of originals located within the network. Files created in the DMZ should not be able to migrate into the network unless an administrator has examined them. If you're running a news server and would like to archive news, make sure the DMZ has its own archival system.

What sort of things shouldn't you do? Example: If you're running an FTP server in the DMZ, don't let users put confidential information on there so they can get it from home later.

It must be as secure a host as you can make it. Just because you're assuming it's secure doesn't guarantee that it is. Don't make it any easier for a hacker than absolutely necessary. A hacker may not be able to compromise your internal network from your DMZ, but they may decide to use it to compromise somebody else's network. Give serious thought to not running Windows on your DMZ machines; it's inherently insecure and many types of intrusions can't be detected on Windows. Linux or openbsd can provide most, if not all, the needed functionality along with a more secure environment.

DoS & DDoS Attacks

Introduction

In this section we are going to have a quick look at DoS and DDoS attacks, how they are performed and why they attract so much attention ! We won't be getting into much detail as we are just trying to give everyone a better understanding of the problem.

Denial of Service attacks

Denial of Service (DoS) attacks can be a serious federal crime with penalties that include years of imprisonment and many countries have laws that attempt to protect against this. At the very least, offenders routinely lose their Internet Service Provider (ISP) accounts, get suspended if school resources are involved, etc.

There are two types of DoS attacks:

1) Operating System attacks: Which target bugs in specific operating systems and can be fixed with patches.

2) Networking attacks: Which exploit inherent limitations of networking and may require firewall protection.

Operating System Attacks

These attacks exploit bugs in a specific operating system (OS), which is the basic software that your computer runs, such as Windows 98 or MacOS. In general, when these problems are identified, the vendor, such as Microsoft, will release an update or bug fix for for them.

So, as a first step, always make sure you have the very latest version of your operating system, including all bug fixes. All Windows users should regularly visit Microsoft's Windows Update Site (and I mean at least once a week!) which automatically checks to see if you need any updates.

Networking Attacks

These attacks exploit inherent limitations of networking to disconnect you from your ISP, but don't usually cause your computer to crash. Sometimes it doesn't even matter what kind of operating system you use and you cannot patch or fix the problem directly. The attacks on Yahoo and Amazon by "mafiaboy" were large scale networking attacks and demonstrated that nobody is safe against a very determined attacker.

Network attacks include ICMP flood (ping flood) and smurf which are outright floods of data to overwhelm the capacity of your connection, spoofed unreach/redirect also known as "click" which tricks your computer into thinking there is a network failure and voluntarily breaking the connection (this is used to disconnect MIRC users), and a whole new generation of distributed denial-of-service (we speak about them later on).

Just because you were disconnected with some unusual error message doesn't mean you were attacked. Almost all disconnects are due to natural network failures. On the other hand, you should feel suspicious if you are frequently disconnected.
What can you do about networking attacks? If the attacker is flooding you, essentially you need to have a better connection than he does. Otherwise your only recourse may be a firewall run by your ISP.

Distributed Denial-of-Service

A distributed denial-of-service ( DDoS ) attack is similair to the DoS attack described above, but involves a multitude of compromised systems which attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

A hacker (or, if you prefer, cracker) begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The result of these packets which are sent to the target causes a denial of service.

While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder.

Locking Windows

Introduction

Static IPs are part of the persistent-connection problem, but Windows itself is also to blame. (Consumer editions of Windows, anyway--NT and Windows 2000 are a different game entirely.) Windows 95 and 98 are full of security gaps. Here are a few things you should do to close them up.

What To Do

Turn off file sharing if you don't need it. If you're not sharing files with other computers--usually you would do so over a home network--then disabling this feature closes up plenty of holes. To ensure file sharing is off, right-click Network Neighborhood and pick Properties. Click the button labeled "File and Print Sharing" and make certain that both boxes in the
resulting dialog box are unchecked.

Set up file sharing carefully if you need to use it. Right-click Network Neighborhood, choose Properties, and click "File and Print Sharing." Check the box next to "I want to give others access to my files." Next, pick or create a specific folder you'll let people access, such as c:\My Documents\Photos. In Windows Explorer, right-click the folder and pick Sharing from the context menu. In the dialog box that appears, click the radio button next to Shared As: and enter a name for the folder in the field to the right. (The name you choose is the name that will appear to those who browse the folder over the network or the Internet).

If you want people to be able to add, remove, or change documents in the folder, click the Full radio button under Access Type.

If you want people to be able only to copy or look at the files in the folder, click the Read Only radio button.

In either case, be sure to enter a password (no fewer than four and no more than eight characters) in the field at the bottom of the dialog box. The dialog box will allow you to click OK without your entering a password, but in that case, anybody who browses the folder will get access to the files inside.

Monitor your shared folders using the Windows Net Watcher utility. The app displays all the users currently connected to shared folders and lets you disconnect them if necessary. The utility isn't part of Windows 95 or 98's default installation, but you can install it from your Windows CD-ROM by following these steps:

1.Click Start, Settings, Control Panel and open Add/Remove Programs.

2.Click the Windows Setup tab. In Windows 98, scroll down the list of setup categories and double-click System Tools. In Windows 95, find and double-click Accessories.

3.Check the box next to Net Watcher, and click OK twice to exit the dialogs.

4.Windows will install Net Watcher. After your system's rebooted, choose Start, Programs, Accessories, System Tools, Net Watcher to launch the utility.

Download system patches. Windows 98 users can head to the Windows Update Web site to automatically download security-related patches for their operating system. If you're still using Windows 95, you'll have to download each Security Update patch manually at the Windows 95 Downloads page.

Check your shields. After you've taken the steps above, the Shields UP! Web site (run by Gibson Research Corporation) can look at your connection to the rest of the world and let you know if any holes remain. Drop by and see if you have any further vulnerabilities. Shields UP! also contains some extremely in-depth advice regarding Windows networking settings.

Securing Your Home Network

Introduction

Most people who use computers these days have had to deal with a security issue of some kind – whether they are aware of it or not. Everyone has been infected by one of the many worms or viruses floating around the Internet, or have had someone use your password. Most home computer users are victims of attacks that they have no idea about.

For example, certain programs called ‘spyware' come packaged into seemingly friendly programs you download, this spyware can do any one of a number of things, though most often they send your personal information (such as name and email address) and information about what sites you visit to certain companies.

These in turn will sell your personal information to the spammers and email marketers who will proceed to clog your inbox with junk that they think you might be interested in. To explain how this works, you download a program – say a video player – from the Internet and install it. In the background it installs some spyware. Now you start surfing to car sites, soon you can expect your email inbox to be full of spam offering you great deals on used cars etc.

A lot of people work on the principle that their home computer contains nothing interesting enough for an attacker, what they don't realise is that while an attacker may not target your system specifically, it is very common for them to use programs that will scan vast ranges of the Internet looking for vulnerable systems, if yours happens to be one, it will be automatically taken over and placed at the attackers command. From here he can do a variety of things, like using your computer to attack other sites on the Internet or capturing all your passwords.

Worms and email viruses work the same way, they infect one machine, and then spread by trying to email themselves to everyone in your guest book, or turning your machine into a scanning system to find other targets. They may even contain a malicious payload that can destroy your files, or even worse – email your private documents to everyone you know (this was the case with a worm a few years ago).

Given that the things we use the computer for these days such as online shopping for books or music, electronic banking etc, these threats have a more serious implication than most people realise. You may not have anything worthwhile on your computer, but what if an attacker is able to steal your credit card information when you are buying a book from Amazon.com, or steal the password to your online banking account ?

Luckily the steps you have to take to secure your own PC are fairly simple and can be accomplished by non-technical users given the right guidance. If you follow the guidelines we have given here, you will be safe from most forms of Internet based threats. So here are a few steps you can take.

Email Security

A lot of viruses these days, such as the recent MyDoom virus, spread by emailing themselves to people as an attachment, the email can appear to come from anywhere.. most often it will appear to come from a friend, or an address like admin@yahoo.com if you use a yahoo account. The email will try and convince you to download and run the attachment which may appear to be a harmless JPG image or SCR screensaver. In fact, the attachment is a malicious program (known as malware), and once opened, can do any of the nasty things we've listed above. Here are the rules you should follow when checking your email.

1. Has the email come from someone you know ? If so, were you expecting the email and its attachment ? If not, try and confirm with the person over the phone or some other medium.
2. Does the message make sense ? If you receive an email from your computer illiterate parents saying ‘download this new screensaver', you can be quite sure something is fishy.
3. Does the email appear to come from someone in authority ? If the email comes from what appears to be the administrator of your email service, you should double check with them. No email service will ever ask you to reveal your password, or threaten to terminate your account unless you download the instructions in the attachment. If you are unsure, always contact their tech-support personnel before opening any attachment.

If you've followed the above steps, and you still think you need to download the attachment, make sure you scan it before downloading. Most popular email services like Hotmail and Yahoo offer you the facility of scanning the attachment, use this feature ! Once you've downloaded it, it never hurts to scan it with your own anti-virus software which you should have installed (we will talk about this in the next tip). Only after you are completely certain this attachment is safe, should you download it. If it is a program (ending in .exe, or something like .jpg.exe), then you should be extra careful. Remember that anti-virus scanners must be up to date to be able to catch new viruses, and even then, you may encounter a virus before the anti-virus companies have been able to analyse it.

Install An Anti-virus Software

90% of the threats you will face as a home user will come not from hardcore cyber criminals, but from automatic spreading viruses known as worms. The best way to guard against virus threats is to download a good anti-virus scanner. Two of the best ones are Norton AntiVirus and McAfee . Remember that the anti-virus needs to have its scanning database (known as virus definitions) regularly updated. You should try and update the definitions once a week. The longer you put it off for, the larger the new definitions package will be, and the more viruses your system will be vulnerable to. All the virus scanners offer some form of automatic update system so that you don't have to remember to keep updating the definitions yourself. Use this feature.

Disable Windows File Sharing

Most people know that Windows allows you to share files with other people on your network. This is called “Windows File Sharing”, and is what you make use of whenever you open network neighborhood. What most people don't know is that even if you don't specifically choose folders to share, Windows automatically shares your entire hard-disk with anyone who knows your system's Administrator account password. Not just will it share the hard-disk, it will allow the person full read and write access to the disk. To disable file sharing in Windows XP, go through the following steps:

1. Go to the Start menu and select the Control Panel.
2. In the Control Panel window, double-click on Network Connections.
3. Right-click on the icon for your network connection in the window that appears. You can do this for all your network connections (e.g. VSNL, LAN etc)
4. From the menu which appears, choose Properties (use the left mouse button to make your selection).
5. Under This connection uses the following items, highlight File and Printer Sharing for Microsoft Networks.
6. Click Uninstall.
7. When you are asked if you are sure you want to uninstall File and Printer Sharing for Microsoft Networks, click Yes.
8. Click OK or Close to close the Local Area Connection Properties window.

It is also important to understand that most people just press enter when prompted to choose an Administrator password during the install. This is a very bad idea, as it means that anyone can log into your system as an administrator (full access) without supplying a password. Thus you should try and choose a strong password for the administrator account and any other account that you may create on the system if you share it with other people. Read the tip on choosing strong passwords later on.

Update the Operating System

From time to time, people discover bugs or vulnerabilities in operating systems. These vulnerabilities often allow an attacker to exploit something built into your operating system and take it over. To give you a simple example, a vulnerability may be found in MSN Messenger and an attacker can exploit it to gain control of your system. Whenever such a vulnerability is found, the operating system vendors release what are known as ‘patches' which will fix the problem.

If you make sure your system is up to date with the latest patches, an attacker will not be able to exploit one of these vulnerabilities. To update windows, you have to run the ‘Windows update' service, either by clicking ‘Start >> Programs >> Windows update”, or by going to http://windowsupdate.microsoft.com/ . >From there you can scan your system for missing patches and then download the ones you need. You should try and do this regularly so that the backlog of patches you need to download is not very large. If you miss out on a lot of patches, the download could be really huge. This is also the case when you reinstall the operating system.

Install A Personal Firewall

A personal firewall is a piece of software that runs on your machine and lets you decide exactly what data is allowed to enter or leave your machine over the network. For example, if an attacker is scanning your system for vulnerabilities, it will alert you. If an attacker is just looking through ranges of the Internet for targets, your system will not respond to your probes.

In short, your system operates in a stealthy mode – invisible to an attacker. You also need to be careful about what data leaves your system via the network. Viruses and worms that try and email themselves to other people or use your machine to scan for more victims, spyware tries to send data back to an advertiser, and trojan horse programs may try to connect to an attacker. The personal firewall helps by alerting you every time a program tries to access the network connection. This can be tricky to novice users because even when legitimate programs such as Internet Explorer try to access the internet, the firewall will pop-up a warning box.

However, if you are unsure if an alert is malicious or not, most firewalls have a ‘more info' button on the alert which will take you to their website and tell you whether the program is a legitimate one or a known offender. A personal firewall is no good if you just keep answering ‘yes' to every program that wants to access your internet connection.

Take the trouble to understand what programs on your machine need legitimate access and only allow those. For example if you just downloaded a new screensaver program and the firewall says it wants to access the internet, you can be pretty sure it is trying to send some data back somewhere. It may be spyware or a trojan. Soon you will get used to weeding out the suspicious programs. If you have a permanently on connection like cable-modem or DSL, you should most definitely install a personal firewall. Some of the good ones you can get are:

ZoneAlarm – Very easy to install and use, there is a free version with a few less features than the professional version. Gives you very good information about the alerts it generates. Considered the market leader.

BlackICE – Another very highly rated personal firewall, it is not as user friendly as ZoneAlarm, but allows for some further configuration options

Sygate Personal Firewall – Also less user friendly, but it allows you to make some very powerful configuration changes and it contains a rudimentary intrusion detection system to alert you about common attacks.

If you go to any search engine and search for ‘personal firewall' you will find a whole lot of other options. If you use Windows XP, it is a good idea to turn on the built in Internet Connection Firewall by double clicking on your connection icon near the clock, clicking properties >> advanced >> Protect my computer and network…. This built in firewall is not meant to be a replacement for a full solution like the ones above. It only filters incoming traffic and will not alert you if a trojan or worm tries to use your machine for some malicious purpose.

Scan For Spyware

All through this article we have talked about spyware that lets companies customise their advertising by watching what you do on the net. While spyware may not be destructive, it is one of the biggest pests around and will result in a mailbox full of spam before you know it. However there are a number of tools that will scan for well known spyware on your machine and will allow you to delete it safely.

Note that AntiVirus packages do not usually alert you when you install spyware because it is not considered harmful to the computer itself. Two of the most popular programs for detecting and removing spyware are Ad-aware and Spybot Search & Destroy .

Choose Strong Passwords

Most of the time an attacker need not resort to a technical hack to break into a system because he can simply guess at poorly chosen passwords. Here are some general rules when selecting a password :

1. Do not use a word which can be found in a dictionary, or a birthdate / name these are very easy to crack
2. Adding numbers like 123 at the end does not make it more difficult to crack the password
3. Choose at least a 6 character long password.
4. Use different capitalisation for the letters, e.g. “suRViVor” (Don't use this one, its in a dictionary remember… its just an example)
5. Add some random numbers to the end or in the middle
6. If possible use a few special characters like !(;,$#& etc.
7. When choosing a password hint question, choose one that only you will be able to answer. “What is my birthdate ?” is something anyone who knows you even remotely will be able to guess.

A very useful method for choosing an easy to remember random password is to take a line of a song that you remember and then take the first letter of each word in that line. Now you can randomise the capitalisation, add a couple of numbers and special characters, and have a very strong password that is still difficult to crack.

Remember as far as possible to use a different password for different accounts (e.g. one password for your personal email, one for work email, one for internet banking). This may make things more difficult to remember, but in the event that one password gets compromised, the attacker will not have access to all the other accounts.