Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Baechle, Eric" <eric.baechle () dhs gov>
Date: Mon, 7 Aug 2006 09:41:58 -0400
Neil, That still requires access to a system. If a system is physically compromised (in the case of stealing a laptop), a number of things should happen. PKI keys need to expire/be revoked. Depending on how you have password caches set, the entire Domain should go through a password reset. However your example still implies performing a PWDUMP or a similar process (from the SAM, Registry, or otherwise). Again, with the password hash now you have what you need to authenticate into a challenge-response stream regardless of actually reversing the username and password. This is because, most not-obsolete authentication systems don't actually send the hash across the wire. They send a key that is used to re-hash the password hash, and the resultant value is returned. The same process is repeated on the authentication system and the values matched. If your password was 4 characters or 40,000 characters, you have all you need to access a system (minus a little basic knowledge from your favorate SAMBA & Kerberos books). So, the point is here... protecting the actual password hash in storage and in transit. If you utilize non-obsolete methods of transmission, then your real problem is storage and detecting when that storage is compromised. Eric B. -----Original Message----- From: Neil [mailto:neil () voidfx net] Sent: Sunday, August 06, 2006 2:50 PM To: Baechle, Eric M Cc: security-basics () securityfocus com Subject: Re: ADS Password Storage Protection On 7/26/2006 11:46 PM, eric.baechle () dhs gov wrote:
I think everyone is on the same page about the mathematical complexity of passwords either coming from length or from additional character ranges. But how does one begin to crack a password? One would first need the password hash. Where are the password hashes stored? How are the accessed? Once you have the answer to those questions, then you may decide that a 4-character simple password is good enough. Because if an attacker can crack your password hash, they had or HAVE access to your password hash, which means they've got system rights to your Domain Controllers! What's the bigger problem? Sincerely, Eric B.
That's not necessarily true. It sounds like you're assuming pwdump-ing here. Perhaps they grabbed the hash by getting physical access to a computer that has your hash cached (eg. steal your laptop, mount the hdd on another computer, grab the sam file, extract the domain admin hash). Or perhaps they grabbed it in transit (eg. sniffed the hash on the way to the domain controller). Either way, they have the hash without the access...until they crack it. And a 4 char hash, even with 4 character sets, would take very little time to break. -Neil. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: ADS Password Storage Protection Neil (Aug 08)
- <Possible follow-ups>
- RE: ADS Password Storage Protection Baechle, Eric (Aug 08)
- Re: RE: ADS Password Storage Protection Micheal Espinola Jr (Aug 08)