So this is my first ever blog entry and seeing as how I'm a senior
member of the PSS Security Incident Response team, you may think I've
stopped taking my medication by opening with a title like the one above!
Medication issues notwithstanding, it's true - you should NOT be using
passwords of any kind. Why? For starters, passwords are ridiculously
easy to guess or crack. Worms like Agobot / Phatbot / Polybot / SDBot /
RBot (no I didn't write this one) all ship with dictionaries of passwords
numbering in the hundreds and they can easily replicate to a system that
has a password in this word list, and the miscreants are really good at
keeping these wordlists up to date with passwords that they've cracked
from other systems.
As an example of what I'm talking about check out Symantec's write-up of
this little nasty that we encounter on my team just about every day:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ae.html
Worse still, attackers (either automated or human) don't even need to
GUESS the password. There are hacking tools a-plenty that will let a
miscreant sniff your network traffic to scoop out authentication material
for the LM, NTLM and Kerberos protocols and then brute-force that material
back into a working password. Sure you can protect the network with
segmentation, encryption (IPSec etc.) and even 802.1x and I'm a big fan of
all of these concepts, but really they just workaround an issue that you
still need to address. The inherent vulnerability in your network which
is - the password.
Ignoring the network for a second, what happens if an attacker gains
physical access to a machine on your network with elevated priv's? Well
they can dump all of the password hashes to a .txt file and then through
the magic of pre-computation can 'look up' the password corresponding to
that password hash in *seconds* and they can do this for all hashes they
obtain. Lots of 'security consultants' like to terrorize our customers by
doing penetration tests, sniffing some network authentication exchanges,
cracking the easily determined passwords, then gaining access to a DC,
dumping out all of the password hashes and then cracking most if not all
of those using rainbow tables and then using that as evidence you should
switch to Linux! (bah!)
Pre-computation attacks are a somewhat new and interesting phenomenon we
are starting to encounter 'in the wild' through chainsaw security
consultants. What they do is they pre-compute all of the possible LM or
NT password hashes of a given length with a given character set and burn
the pre-computed password-hash-to-password-mappings to DVD. Heck they can
even submit their request to have your password hash reversed back into a
password using a web page someone has setup to do the job for you (sorry,
not going to give out THAT URL here.) . . . for free!
So with all of these highly successful, highly effective attacks on
passwords (dictionary attacks, brute-force attacks, pre-computation
attacks) I've come to the conclusion that there is simply too much risk
associated with passwords and that users of Windows should simply stop
using them to avoid this risk.
Problem solved right?
Hopefully by now if your in the security business I've managed to get
you foaming at the mouth lunatic crazy mad! How irresponsible is it that
I as an incident response specialist for Microsoft could be recommending
to our customers and readers that you do NOT use passwords anymore. As a
CISSP I have to admit it does seem to be just cause for revoking my
membership, but I of course used this ploy to get your attention and keep
you reading.
“Where is he going with this?“
So here's the deal - I don't want you to use passwords, I want you to
use pass-PHRASES. What is a pass-phrase you ask?
Let's take a look at some of my recent pass-phrases that I've used inside
Microsoft for my 'password'.
“If we weren't all crazy we would go insane“ (Jimmy Buffet rules)
“Send the pain below!“ (I like Chevell too)
“Mean people suck!“ (it's true)
So why are these pass-phrases so great?
1. They meet all password complexity requirements due to the use of upper
/ lowercase letters and punctuation (you don't HAVE to use numbers to meet
password complexity requirements)
2. They are so freaking easy for me to remember it's not even funny. For
me, I find it MUCH easier to remember a sentence from a favorite song or a
funny quote than to remember 'xYaQxrz!' (which b.t.w. is long enough and
complex enough to meet our internal complexity requirements, but is weak
enough to not survive any kind of brute-force password grinding attack
with say LC5, let alone a lookup table attack). That password would not
survive sustained attack with LC5 long enough to matter so in my mind it's
pointless to use a password like that. You may as well just leave your
password blank.
3. I dare say that even with the most advanced hardware you are not going
to guesss, crack, brute-force or pre-compute these passwords in the 70
days or so that they were around (remember you only need the password to
survive attack long enough for you to change the password).
Fact: Did you know that Windows NT based operating systems support
pass-PHRASES of up to 128 characters including spaces, and unicode
characters like this --> ?
Fact: Did you know that even the most effecient form of password cracking
(pre-computation using Sarca rainbow tables) breaks down and becomes
infeasible for most attackers at around 10 characters (I've seen the math
to prove it) and at 14 characters or more Excel can't even display a
number big enough to show how long it would take to pre-compute / look-up
a 14 character password (so I'm assuming this would safely rule out
dedicated government agencies with unlimitted hardware budgets <G>).
If you want a copy of the spread-sheet that lets you role play or
calculate how long it would take to lookup an XX character password using
Rainbow tables shoot me an e-mail
Now, looking at my first easy to remember (for me) pass-phrase listed
above we see that it's 42 characters. I could type that 3 times in a row
as my password and still not exceed the buffer allocated for my password
in Windows! So . . . why is this password so great?
1. It prevents the LM hash from being stored (LM password hashes are
stored by default on all of our operating systems, even WS2003 for
backwards compatibility reasons). The LM hash is no longer
cryptographically secure and takes only seconds to crack with most tools.
2. It's easy to remember - I don't have to write it down.
3. Since it's 42 characters long it will never be found in a simple
word-list and thus can't be guessed with even the largest dictionary
files.
4. Since it's 42 characters long, it's physically impossible to
pre-compute the password hash -> password mappings and store them in any
reasonably attainable amount of disk space / RAM (I can't even tell you
how many petabytes it would be becuase Excel barfs when I try to make it
tell me, it can't calculate a number that big <G>).
5. Since it's 42 characters long it would take an extremely long time to
brute-force that back into the original password using all possible number
/ letter / special character combinations (think of a pre-computation
attack as a brute-force attack, only you save the results of all of the
brute-force attempts to a database for use in future attacks).
Do you see a pattern here? Pass-phrase LENGTH, not complexity defeats
these attacks. Short, but complex passwords should be shunned as they are
not truly secure anymore and you are deceiving yourself if you think they
are. Long pass-phrases (14 characters or more) are the future (along with
2-factor or more authN, but that's another blog for another day) and are
the only way to go if you want to ensure that you won't get hacked via any
type of password based attack of any kind.
Given how easy it is to remember a sentence as opposed to random
numbers and letters strung together and how much more safe it is - why are
IT companies still using weak 10 character or less passWORDS that users
can't remember and write down or forget which leads to password theft and
helpdesk call volume? Why aren't IT companies dictating 20 character
password minimums (which all but forces you to use a pass-phrase) and
educating users about NT's 128 character password prowess? Why aren't IT
companies telling everyone, users and admins alike to use easy to remember
sentences and phrases as passwords?
Simple - no one knows this stuff. This is, unfortunately, one of
Microsoft's best kept secrets (128 character password limit on NT based
OS's) and we've done very little to change the flawed mindset around short
passwords.
(Amusing side-note - did you know that NT was originally supposed to
support 256 character passwords? Apparently the design spec back in the
day called for 256 characters to be supported and the developer dutifully
allocated a 256 byte array . . . but they failed to realize that
double-byte character sets would need to be supported for far-east
languages thus effectively halving the length of the password since it
takes 2 bytes to represent each character . . . doh!).
Well the secret is secret no more - the word is out! Now go change your
password policy and do it quickly . . . or you'll be opening a support
incident with my team soon and I'll be telling you all of this on the
phone after I figure out your password policy was easily subverted by an
automated worm that copied itself to your server via your exposed admin
shares.
Robert Hensing - Microsoft PSS Security Team
E-mail: rhensing@microsoft.com
Personal PGP Key ID: 0x87CEA167
Personal PGP Key Fingerprint: 6533 4075 7E87 9D32 8A10 742D B120 7C68 87CE
A167
Team PGP Key ID: 0xEB722C4BTeam PGP Key Fingerprint: 1781 923A 0405 8F6A
31B7 EEFD 9A13 6A28 EB72 2C4B
