RE: Password Audits

["Donald N Kenepp" <don () videon-central com>]

Hi,

  Perhaps this is the method you already use, but one solution for your
third question, a tool that merely tests the security of a password
without cracking it, is to have a password audit where the object is to make
sure all passwords have a base level of security rather than trying to
actually crack the passwords.  By limiting the depth of testing to just
below the minimum security level you want your users to achieve, you can
simply ask everyone whose password is cracked to change their password.  As
long as you properly design your audit, anyone whose password is not cracked
has a password that is both still secure and meets your minimum password
requirements.  Any cracked password should be changed and retested until it
passes.

  Sincerely,
    Donald

-----Original Message-----
From: . [mailto:rtfm () eircom net] 
Sent: Tuesday, April 26, 2005 11:47 AM
To: 'Adam Jones'; security-basics () securityfocus com
Subject: RE: Password Audits

2 words -

Rainbow tables  - see here (but there are lots of others - just google..

http://www.antsight.com/zsl/rainbowcrack/


3 Questions to ponder - 

1. Why bother to attack such a long password? If someone is going to go to
the trouble of breaking a pass. Of that length they can surely go to the
bother of using offline NT pass and reg editor (if local), Cain (if on the
network) or just google'ing for any one of the exploits the machine is
vulnerable to anyway...

2. Why, instead of worrying about password length don't you worry about
complexity? Use something like passfilt
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q161990

A password over 8-9 chars is going_to_be_written_down..If you are really
worried about pass strength, enforce complexity (consider using esoteric
char. Sets for really hard to crack passwords).

If you are that worried use 2 factor authentication - (secure ID etc..)

3. Why are you cracking passwords at all?
IF YOU CRACK PASSWORDS YOU IRRETRIVABLY BREAK ACCOUNTABILITY
Let's think about that for a second - 

You are an admin at a company with a responsible and proactive security
policy which includes regular passwords audits using a cracking tool.
Unfortunately for everyone Joe in accounts is a shady character. Joe gets
arrested for manipulating the company accounts system (with his current
level of privilege) and transferring 1million to Antigua...Joe goes to court
where the evidence is access times/usernames/passwords and says - 

"It wasn't me gov'nor, that the systems administrator dunnit- he had my
username AND my password, and if it wasn't him - it was someone who got
access to his machine" etc. etc. 

this is a variant on the Trojan defense and it could work in a criminal case
where the burden of proof lies with the prosecution. It has a good chance of
working or at least muddying the waters sufficiently to prevent that company
(and you) ever trying password cracking again.

If anyone knows of a tool that merely tests the security of a password
without cracking it let me know - and yes I am aware that LC5 has an option
to not display the cracked password but it stills cracks the password
anyway...

Cheers,
EDF

-----Original Message-----
From: Adam Jones [mailto:ajones1 () gmail com] 
Sent: 25 April 2005 16:44
To: security-basics () securityfocus com
Subject: Re: Password Audits

LC5 breaks windows passwords by looking at the NT Lan Manager version
of them. NTLM is an old way of storing passwords that truncates them
to 14 characters (IIRC it also pads them to 14 if needed) then it
splits it into two seven character strings and encrypts each one
separately.

This makes the passwords easier to break, as you only have to hit one
half of it and can use that for dictionary attacks against the other
half. The first 14 characters should be enough to help you gauge the
strength of the password. It is possible to find software that will
work with other encryption schemes, but none can achieve the cracking
speed you get on NTLM.

In short, yes, tools do exist to do it, but you should seriously
consider if the extra time expended is worth it. In many cases it will
be more time effecient to just evaluate the first 14 characters.

Also check your security profiles to ensure that NTLM authentication
is disabled, otherwise anything after the first 14 characters is
practically useless to begin with.

On 4/22/05, Jair <jairgerald () hotmail com> wrote:
> Hi Fellows,
>
> I am using LC5 tool for audit windows 2000 users passwords and look like
it
> only work with 14 characters passwords or less, I know some users have
some
> long passwords over 14 characters and LC5 doesn't show me information
about
> them.
>
> do you guys know if is a tool who can break long passwords ?
>
> Thanks for you help

-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.3 - Release Date: 25/04/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.10.3 - Release Date: 25/04/2005