Security Basics mailing list archives
Re: RE: ADS Password Storage Protection
From: eric.baechle () dhs gov
Date: 19 Jul 2006 17:15:24 -0000
With all due respect to all; We've wandered way off the topic. The discussion was on "Active Directory Services (ADS) Storage Protection" methodologies. Mathematics proves what password types are entrophically stronger, and proactive password auditing proves what passwords are pratically stronger. The debate here is not length vs. complexity in passwords but the succeptibility to password storage systems to attack. Password length and complexity remains a very valid discussion. Password recovery plays an especially important part in obtaining access to systems not connected to the originally compromised system. For example, if I use the same password for my banking as I use for my computer at home; someone that cracked my home computer password now has credentials for my bank web-account. The important fact here is that regardless of my attempts to strengthen my password, someone that has the ability to crack my password on my home computer has the ability to "recover" my password no matter how strong it is through means other than cracking. Access to my system to recover the password hashes means that an intruder has the same level of access required to install root kits and key-loggers. In keeping with the discussion topic. If I obtained the password hashes using PWDUMP or other extraction tool, I have all I need to be able to authenticate as any user including, Administrator using one of the modified open-source SMB clients. Upon accessing the system as Administrator (SID 500 - to prevent trolls from starting arguments about renaming accounts), I obtain access to all connected ADS systems (including the workstations). From this launchpad I can install root-kits and key loggers on distributed client systems using ADS group-policy and pushing MSI packages. And finally, I just wait for you to type your 200+ character pass-phrases. Upon looking at the anatomy of an attack, the threat comes not from the ability to crack a "strong password" (however you define strong=long, etc). Instead the origin of the attack comes from obtaining access to the password hash database. What I propose is that discussions on password length vs strength is purely academic rather than practical to system security. Creating super-long passwords (more than 8 characters or so) does not provides a theoretical increase in protection to systems but not a practical one. Credential passing algorythms such as Kerberos, should use strong pre-shared or one-time keys for transmitting the passwords so they can't be sniffed. So my question to you is, do you REALLY think your passwords are secure? Sincerely, Eric Baechle, CISSP/ISSEP, etc. Senior INFOSEC/OPSEC Engineer Department of Homeland Security --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: Re: RE: ADS Password Storage Protection, (continued)
- RE: Re: RE: ADS Password Storage Protection Pranav Lal (Jul 19)
- Re: Re: Re: RE: ADS Password Storage Protection winshel (Jul 18)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 21)
- RE: Re: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: Re: RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Eoin Miller (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Robertson, Seth (JSC-IM) (Jul 21)
- Re: RE: ADS Password Storage Protection eric . baechle (Jul 21)
- Re: Re: ADS Password Storage Protection eric . baechle (Jul 27)
- Re: RE: ADS Password Storage Protection e . m . baechle (Jul 28)
- RE: RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)