RE: ADS Password Storage Protection

Roger,

I agree with you with regards to the entropy of the password strength. A longer password can be mathematically stronger than a complex password with less characters especially when using an incremental brute-force attack.

The problem isn't password cracking anymore. By continuously attacking password complexity/length issues, security professionals are dealing with a symptom of the problem inherent in authentication systems but not the problem itself. With practical application of the Faster Time-Memory Trade-Off in Rainbow Tables, even long-and-strong passwords are quickly becomming crackable. As computers mature and bot-nets grow, the theory of continously using passwords longer than systems can reasonably crack breaks down --- eventually we will make users entire entire novels as their password to remain secure.

The reality of authentication attacks is that they typically occur at an interface. As long as the password is "strong enough" not to be reasonably guessed within 100 random tries or so your audit processes should enable you to detect an attack. This is why you would want to set your lockouts and alerts to something higher like 10, 15 or 25. If someone is cracking your Active Directory password hash data then they've compromised your system to an administrator level already. Since the "Administrator" account has a known SID, one method of auditing a compromise is to never use the built-in administrator. Instead, create secondary administrator accounts and monitor the built-in administrator account for authentication with an alert of interactive or remote login letting you know the system was compromised.

With hash injection ("pass the hash"), I never even have to know what your username/password actually is. When I am confronted with a login prompt, I would use a modified SMB client to inject authentication credentials in hash form directly into the SMB/Kerberos exchange. Your password could be a random 200 characters long, and it wouldn't matter... I'd still get into your system.

Instead of worrying about making passwords ultra-complex or ultra-long, the security administrators need to protect and monitor the hash database. By forcing growing password requirements upon the system users, we're overlooking the attack-vector to the authentication system and ticking off the users in the process. Password complexity and length requirements have created the "iron gate" on the front door that thwarts attackers. They're now coming in through the windows... We have to pay attention to the attack vector because the mathematical complexity of passwords has reached a moot point.

Sincerely,

Eric Baechle, CISSP/ISSEP, etc...
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security



-----Original Message-----
From: Roger A. Grimes [mailto:roger@xxxxxxxxxxxxxx]
Sent: Monday, July 17, 2006 2:54 PM
To: Baechle, Eric M; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: ADS Password Storage Protection


Let me comment on this post by saying that password length beats
complexity character for character.

So go long and forget complexity. Complexity pisses end users off.

At 15 characters (complex or not), password is uncrackable. Tell normal
users to go 12 character min. (actually 9 and above is pretty good).
Admins should go 15+.

I frequently demo this idea using Cain (www.oxid.it) and its brute force
cracking mode.

If I can get your LM hashes, I can crack your password no matter how
complex. If you go 15 char.+, I'll never crack it, no matter how big
the rainbow tables or how many computers I have.

Linux folks should use bcrypt password hashes to accomplish the same.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------

Relevant Pages

  • Re: asymptote/hyperbola?
    ... >> I have no interest in refuting anything in this matter. ... He's presenting a character who's talking math. ... the passage I cited does no such thing. ...
    (rec.arts.books)
  • Re: Matter by Iain M Banks
    ... Well, I've just finished second-reading Matter, and... ... what Banks is trying to do is very impressive, ... real to make an emotionally-satisfying difference to his character. ... Her emotional Sursamen/Culture loyalty dilemna seems to have been long ...
    (rec.arts.sf.written)
  • Re: RE: ADS Password Storage Protection
    ... And that a 15 character or longer password can be a real phrase and it will be a secure password. ... practice to master. ... SensePost willl be at Black Hat Vegas in July. ...
    (Security-Basics)
  • Re: VERITAS- Forum from April
    ... Terry Austin ... History is made at night. ... Character is what you are in the dark. ... Drop by ANYTIME and I bet we can discuss this matter ...
    (rec.arts.sf.written)
  • Re: Happy now, Stephanie?
    ... There is no other character on B&B who has Stephanie's level of ... self-righteous moral vanity. ... it doesn't matter ... what harm she causes, she'll steam roll on. ...
    (rec.arts.tv.soaps.cbs)