Re: Password Cracking & Consequences

[Brian Eckman <eckman () UMN EDU>]

Scott Bradner said:
> far better to force good passwords when the user sets them

Ken Shaurette  said:
> "make sure that users can't ever select weak passwords"

In some environments, this is possible, but not in all. The last I checked,
many versions of Netware had a minimum character limit, but no way of making
sure they were difficult to guess. Windows has its complexity requirements,
but IIRC, Passw0rd is a "complex" 8 character password. (OK, so buy a third
party solution that resolves this. That works for me.)

(Note: I realize below I am advocating password "guessing" more than
"cracking", but the two words are often interchanged.)

That's all fine (auditing passwords when they are set) in a centralized
environment, where the folks enforcing the policies also admin the systems.
In an environment as large and complex as ours, we have a number of  folks
doing network security and policy enforcement that aren't the system admins.
There are thousands of Windows machines that can be logged into over the
network, hundreds of them are Windows servers administered by literally
hundreds of different people in different departments with different level
of knowledge.

We have policies in place regarding passwords and server security. However,
the only way for us to determine if those policies are being enforced are
to:

1. Wait for the boxes to become compromised, hope we find them, then hope we
can determine how the attackers got in.
or
2. Actively seek boxes that will easily become compromised, and hopefully
beat the bad guys to them, and get them better secured.

Also, we are one of the largest research Universities in the US, and
therefore get a number of Windows computers as a part of grants. The
researchers, who typically know little to nothing about Windows security,
sometimes set these machines up on the network without consulting their
department's technical staff, and begin using them with little to no regard
to patching or passwords. While we can determine if their patch levels are
out of date with tools such as Nessus, without network based password
guessing, we can only sit and wait to see how the passwords stand up. Often
the systems come fairly well patched from the manufacturer (most recent SP
for example), so they may appear "secure" to Nessus, yet be wide open to a
password guessing attack.

(Note that we did have a team of people charged with investigating a big
Active Directory forest, and it was determined after a year or so that it
just wasn't doable in our environment. There is an Active Directory root,
but most departments have chosen not to join it for one reason or another.)

I do agree that the password auditor should not be able to see the results
of the password auditing. The reality is, people have more and more
different accounts, and many people do use the same password across multiple
systems. I sure do not want to get caught holding someone's online banking
password (discovered because it's the same as their computer password),
especially if they become a victim of identity theft.

Brian
 --
Brian Eckman
Security Analyst
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.