Passwords...nothing new...just a recap
Been doing a lot of work around password security lately and I think it is fair to say that given enough time any password can be cracked. The time could be hundreds or thousands of years in some cases when using brute force methods . In reality though this time is likely to be a lot shorter than we think due to end users only being able to cope with relatively short passwords.
Using various tools on windows XP and Vista and 7 machines it was surprising to see just how many passwords were recovered in a matter of minutes and not hours or years even.
Passwords on Windows machines can be local or cached Domain credentials.
Password attacks can be classified into two main categories:
Online: Where the attacker is physically on the PC or network in question and is either actively trying tools against the host pc or attempting to sniff the traffic to and from that machine for hashes on the wire(Later take offline). An important note here is that we do not need administrative credentials of the target machine to carry either task. Booting from an OS bootCD will give us access to the hard drive and all files on it regardless of the security imposed by the running OS. Or a sniffing PC strategically placed to collect the traffic if that option is chosen.
Offline is where a compromised machine has had its security related files and registry keys exported so that the cracking can take place away from the site in the comfort of the hackers home.
Windows operating systems for example use varying flavours of encryption in order to hash the password. New OS's like XP with SP3, Vista and Windows 7 employ additional measure to create a type of seed which is used in the encryption process. Unfortunately there are tools which will allow an attacker to extract this information.
So why do we still use passwords?
Simply because they work and can be very effective as a first line of defence against unauthorisd access. The problems usually arise from weak password policies and no, or simple password history retention policies.
Granted with or without a password we can access all files on a password protected drive using the alternate boot operating system described above, however there are times when getting the password is more important than getting around it.
Windows for example caches the passwords of domain accounts on the local machine in order to allow users to login to their machines if the domain is not available. These passwords can be useful to an attacker due to the fact that administrators generally disable the machine account and change the password for the user account associated with that PC, if for example a user leaves or PC is lost. In the case of the latter the user can then continue to login with the new password providing they are using a valid domain PC or are able to manually enter resource locations such as shares etc and provide valid credentials. But what about those cached accounts which were used on the machine perhaps by an admin setting it up or just another network user using the machine for a day or two?
These accounts are unlikely to be "fixed" as they will by enlarge be unknown or fogotten about.
The time a password takes to be cracked is determined by it's complexity. Dictionary words could take seconds to find. Common variations on dictionary words like replacing O with 0 and I with 1 do not take intelligent tools long to break either.
It is therefore important to ensure that passwords meet suitable complexity. Using random characters and numbers along with a passphrase , in total exceeding a minimum of 8 characters but preferrably a lot more will make the time it takes to crack so long that an attacker is likely to give up, or your password policy imposes a change before the crack is complete therefore rendering it useless. However, if a password history retention policy is not enforced, users will by nature re-use old passwords and that is where in time a cracked password could become useful to an attacker.
The above text raises a lot of if's and but's, however anything which makes life more difficult for an attacker has got to be a good thing.
From a PC perspectve employing disk encryption provides a solution to all but potential sniffing attacks. However with disk encryption comes something else, a password to activate the encrypted partition. This password must be long, varied and ideally random. On the plus side there are no simple mechanisms for getting at these passwords and therefore the only option would be a brute force attack which is likely to fail and perplex the attacker. Most enterprise encryption solutions allow for centralised management of workstations and can store the keys for each machine to aid recovery of forgotten passwords.
It is also important to remember that many customers nowadays have remote access to their systems which includes RADIUS authentication. Therefore once again a password could now be used remotely regardless of the users machine account having been disabled.
Remote access solutions are high priority to attackers as finding usename format can be quite a simple task and passwords can often be acquuired using social engineering techniques.
To correct this issue two-factor authentication for at least remote access is a must for any company serious about their security.
There is quite a lot in this summary but in reality it breaks down to the following:
Use complex password policies to enforce non standard passwords
Use password history policies to ensure users cannot re-use previous passwords
Ensure passwords are changed on a regular basis
Use full disk encryption software
Use two-factor authentication for at a minimum remote access.
Using various tools on windows XP and Vista and 7 machines it was surprising to see just how many passwords were recovered in a matter of minutes and not hours or years even.
Passwords on Windows machines can be local or cached Domain credentials.
Password attacks can be classified into two main categories:
Online: Where the attacker is physically on the PC or network in question and is either actively trying tools against the host pc or attempting to sniff the traffic to and from that machine for hashes on the wire(Later take offline). An important note here is that we do not need administrative credentials of the target machine to carry either task. Booting from an OS bootCD will give us access to the hard drive and all files on it regardless of the security imposed by the running OS. Or a sniffing PC strategically placed to collect the traffic if that option is chosen.
Offline is where a compromised machine has had its security related files and registry keys exported so that the cracking can take place away from the site in the comfort of the hackers home.
Windows operating systems for example use varying flavours of encryption in order to hash the password. New OS's like XP with SP3, Vista and Windows 7 employ additional measure to create a type of seed which is used in the encryption process. Unfortunately there are tools which will allow an attacker to extract this information.
So why do we still use passwords?
Simply because they work and can be very effective as a first line of defence against unauthorisd access. The problems usually arise from weak password policies and no, or simple password history retention policies.
Granted with or without a password we can access all files on a password protected drive using the alternate boot operating system described above, however there are times when getting the password is more important than getting around it.
Windows for example caches the passwords of domain accounts on the local machine in order to allow users to login to their machines if the domain is not available. These passwords can be useful to an attacker due to the fact that administrators generally disable the machine account and change the password for the user account associated with that PC, if for example a user leaves or PC is lost. In the case of the latter the user can then continue to login with the new password providing they are using a valid domain PC or are able to manually enter resource locations such as shares etc and provide valid credentials. But what about those cached accounts which were used on the machine perhaps by an admin setting it up or just another network user using the machine for a day or two?
These accounts are unlikely to be "fixed" as they will by enlarge be unknown or fogotten about.
The time a password takes to be cracked is determined by it's complexity. Dictionary words could take seconds to find. Common variations on dictionary words like replacing O with 0 and I with 1 do not take intelligent tools long to break either.
It is therefore important to ensure that passwords meet suitable complexity. Using random characters and numbers along with a passphrase , in total exceeding a minimum of 8 characters but preferrably a lot more will make the time it takes to crack so long that an attacker is likely to give up, or your password policy imposes a change before the crack is complete therefore rendering it useless. However, if a password history retention policy is not enforced, users will by nature re-use old passwords and that is where in time a cracked password could become useful to an attacker.
The above text raises a lot of if's and but's, however anything which makes life more difficult for an attacker has got to be a good thing.
From a PC perspectve employing disk encryption provides a solution to all but potential sniffing attacks. However with disk encryption comes something else, a password to activate the encrypted partition. This password must be long, varied and ideally random. On the plus side there are no simple mechanisms for getting at these passwords and therefore the only option would be a brute force attack which is likely to fail and perplex the attacker. Most enterprise encryption solutions allow for centralised management of workstations and can store the keys for each machine to aid recovery of forgotten passwords.
It is also important to remember that many customers nowadays have remote access to their systems which includes RADIUS authentication. Therefore once again a password could now be used remotely regardless of the users machine account having been disabled.
Remote access solutions are high priority to attackers as finding usename format can be quite a simple task and passwords can often be acquuired using social engineering techniques.
To correct this issue two-factor authentication for at least remote access is a must for any company serious about their security.
There is quite a lot in this summary but in reality it breaks down to the following:
Use complex password policies to enforce non standard passwords
Use password history policies to ensure users cannot re-use previous passwords
Ensure passwords are changed on a regular basis
Use full disk encryption software
Use two-factor authentication for at a minimum remote access.
Comments
Post a Comment