Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Baechle, Eric" <Eric.Baechle () dhs gov>
Date: Mon, 17 Jul 2006 15:38:26 -0400
Roger, I agree with you with regards to the entropy of the password strength. A longer password can be mathematically stronger than a complex password with less characters especially when using an incremental brute-force attack. The problem isn't password cracking anymore. By continuously attacking password complexity/length issues, security professionals are dealing with a symptom of the problem inherent in authentication systems but not the problem itself. With practical application of the Faster Time-Memory Trade-Off in Rainbow Tables, even long-and-strong passwords are quickly becomming crackable. As computers mature and bot-nets grow, the theory of continously using passwords longer than systems can reasonably crack breaks down --- eventually we will make users entire entire novels as their password to remain secure. The reality of authentication attacks is that they typically occur at an interface. As long as the password is "strong enough" not to be reasonably guessed within 100 random tries or so your audit processes should enable you to detect an attack. This is why you would want to set your lockouts and alerts to something higher like 10, 15 or 25. If someone is cracking your Active Directory password hash data then they've compromised your system to an administrator level already. Since the "Administrator" account has a known SID, one method of auditing a compromise is to never use the built-in administrator. Instead, create secondary administrator accounts and monitor the built-in administrator account for authentication with an alert of interactive or remote login letting you know the system was compromised. With hash injection ("pass the hash"), I never even have to know what your username/password actually is. When I am confronted with a login prompt, I would use a modified SMB client to inject authentication credentials in hash form directly into the SMB/Kerberos exchange. Your password could be a random 200 characters long, and it wouldn't matter... I'd still get into your system. Instead of worrying about making passwords ultra-complex or ultra-long, the security administrators need to protect and monitor the hash database. By forcing growing password requirements upon the system users, we're overlooking the attack-vector to the authentication system and ticking off the users in the process. Password complexity and length requirements have created the "iron gate" on the front door that thwarts attackers. They're now coming in through the windows... We have to pay attention to the attack vector because the mathematical complexity of passwords has reached a moot point. Sincerely, Eric Baechle, CISSP/ISSEP, etc... Senior INFOSEC/OPSEC Engineer Department of Homeland Security -----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Monday, July 17, 2006 2:54 PM To: Baechle, Eric M; security-basics () securityfocus com Subject: RE: ADS Password Storage Protection Let me comment on this post by saying that password length beats complexity character for character. So go long and forget complexity. Complexity pisses end users off. At 15 characters (complex or not), password is uncrackable. Tell normal users to go 12 character min. (actually 9 and above is pretty good). Admins should go 15+. I frequently demo this idea using Cain (www.oxid.it) and its brute force cracking mode. If I can get your LM hashes, I can crack your password no matter how complex. If you go 15 char.+, I'll never crack it, no matter how big the rainbow tables or how many computers I have. Linux folks should use bcrypt password hashes to accomplish the same. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)
- RE: ADS Password Storage Protection Baechle, Eric (Jul 17)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)