RE: ADS Password Storage Protection

["Baechle, Eric" <Eric.Baechle () dhs gov>]

Roger,

I agree with you with regards to the entropy of the password strength.  A longer password can be mathematically 
stronger than a complex password with less characters especially when using an incremental brute-force attack.

The problem isn't password cracking anymore.  By continuously attacking password complexity/length issues, security 
professionals are dealing with a symptom of the problem inherent in authentication systems but not the problem itself.  
With practical application of the Faster Time-Memory Trade-Off in Rainbow Tables, even long-and-strong passwords are 
quickly becomming crackable.  As computers mature and bot-nets grow, the theory of continously using passwords longer 
than systems can reasonably crack breaks down --- eventually we will make users entire entire novels as their password 
to remain secure.

The reality of authentication attacks is that they typically occur at an interface.  As long as the password is "strong 
enough" not to be reasonably guessed within 100 random tries or so your audit processes should enable you to detect an 
attack.  This is why you would want to set your lockouts and alerts to something higher like 10, 15 or 25.  If someone 
is cracking your Active Directory password hash data then they've compromised your system to an administrator level 
already.  Since the "Administrator" account has a known SID, one method of auditing a compromise is to never use the 
built-in administrator.  Instead, create secondary administrator accounts and monitor the built-in administrator 
account for authentication with an alert of interactive or remote login letting you know the system was compromised.

With hash injection ("pass the hash"), I never even have to know what your username/password actually is.  When I am 
confronted with a login prompt, I would use a modified SMB client to inject authentication credentials in hash form 
directly into the SMB/Kerberos exchange.  Your password could be a random 200 characters long, and it wouldn't 
matter... I'd still get into your system.

Instead of worrying about making passwords ultra-complex or ultra-long, the security administrators need to protect and 
monitor the hash database.  By forcing growing password requirements upon the system users, we're overlooking the 
attack-vector to the authentication system and ticking off the users in the process.  Password complexity and length 
requirements have created the "iron gate" on the front door that thwarts attackers.  They're now coming in through the 
windows...  We have to pay attention to the attack vector because the mathematical complexity of passwords has reached 
a moot point.

Sincerely,

Eric Baechle, CISSP/ISSEP, etc...
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security



-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com]
Sent: Monday, July 17, 2006 2:54 PM
To: Baechle, Eric M; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection


Let me comment on this post by saying that password length beats
complexity character for character. 

So go long and forget complexity.  Complexity pisses end users off.  

At 15 characters (complex or not), password is uncrackable.  Tell normal
users to go 12 character min. (actually 9 and above is pretty good).
Admins should go 15+.

I frequently demo this idea using Cain (www.oxid.it) and its brute force
cracking mode.

If I can get your LM hashes, I can crack your password no matter how
complex. If you go 15 char.+, I'll never crack it,  no matter how big
the rainbow tables or how many computers I have.

Linux folks should use bcrypt password hashes to accomplish the same.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------