Re: Please do not change your password

["Doty, Timothy T." <tdoty () MST EDU>]

"It is well understood that access to the hashed passwords can easily lead
to a compromise"

That isn't what I was hearing. I was hearing that compromises don't come
from that and who needs to have a password more complex than 8-char because
it doesn't matter. It was posed as a question. I'm replying saying that it
is relevant.

Sure, it would have been better for Atlassian to have used salting. But they
didn't and guess what? They aren't the only ones to do so. Odds are *very*
good that passwords you use online are stored without salting or even in
plaintext. I know some of mine are because the site will send me the
password plain text back to me via email.

Odds are very good that they grabbed the password hashes to crack because...
people re-use passwords and this could then be leveraged to gain access to
more sites. The kneejerk response to that is "don't re-use passwords" and
that is a good method -- but it *also* helps to use something a little bit
more complex than 8 characters.

The problem spiders out quickly (as in, I'm starting to wonder how many
people realize how easy it is to pull password hashes off of a windows box)
and ignoring one aspect of securing passwords "because they are other ways
of getting access" just boggles my mind.

You can argue and debate the merits of requiring a particular minimum
complexity, or frequency of password changes, or restricting source IPs
allowed to authenticate, or whatever other control you wish to wrap around
the problem -- but the arguments for 8-char passwords being sufficient
complexity seem to be no more than covering ears with hands.

Allow me to quote the original question:

" So - this does beg the question - even though longer passwords are
theoretically harder to "crack", who cares....the bad guys are just going to
go around them anyway....?

Thoughts?  And thanks for the discussion...."

In answer to the "who cares" I say the bad guys care. They bothered to
download the password hashes.

And the response has been "well, they didn't salt the password so it doesn't
prove anything". Eh? I point out a recent event from the real world and it
isn't relevant? I take it *you* salt the hashes (and obviously don't use
Active Directory), but does everywhere that you use passwords salt the hash?


Tim Doty

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Porter
> Sent: Wednesday, April 14, 2010 9:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Please do not change your password
>
> On Wed, 14 Apr 2010, Doty, Timothy T. wrote:
>
> > You say that passwords are no longer cracked? Then read up on the
> compromise
> > the Apache folks had where the database of (unsalted) hashed
> passwords was
> > obtained by the hackers. That is only a single case, but it is very
> recent
> > and IMO very relevant. Those 8-char passwords are little better than
> plain
> > text in such a situation.
>
> An unsalted password is not a good choice and does not prove
> anything with regard to the current discussion.  And in any case, it
> is well understood that access to the hashed passwords can easily
> lead to a compromise.  While longer passwords are harder to crack,
> once you have the hashes, it really becomes a matter of how much
> money you can afford to throw at the problem - or how many bots you
> have that you can set to chewing on the problem.
>
> So, yes, getting access to the hashed passwords is a gold mine, but
> most compromises are phishes, other forms of social engineering, or
> keyloggers installed via socially engineering viruses (ohhh!  I have
> a package, must install this .exe to find out about it), or hacked
> websites.
>
> A few weeks ago, the website for a local paper was hacked.  It is
> the sort of paper that most local politicians or their assistants
> would read.  If they had unpatched systems, many of the local
> politicians could have had their passwords stolen and access to
> their email be had by those who wanted it.  This could have made for
> a nice package of information for someone willing to pay for it and
> make use of it locally.  However, most likely the accounts were just
> harvested for spam and credit card info.  But, in any case, password
> length and lifetime does not figure into equation very well.
>
> > If the bad guys "just worked around" passwords why would they care to
> obtain
> > a hash list? The argument is short sighted and misses the value of
> defense
> > in depth.
>
> Mike
>
> Mike Porter
> Systems Programer V
> IT/NSS
> University of Delaware
>
> > Tim Doty
> >
> >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP,
> MICHAEL
> > > Sent: Wednesday, April 14, 2010 8:43 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Please do not change your password
> > >
> > > Have there been any studies recently that have identified the net
> > > effects of "long passwords" or passphrases?....or complex passwords?
> > > Before coming to higher ed, I came from the "sensitive" Fed sector -
> > > and they used 8-char passwords that were generated for you -
> > > upper/lower case, and one number, (and they used a cool little
> routine
> > > in the password generator that made the passwords "pseudo-
> > > pronounceable" so that they were easier to remember.)
> > >
> > > I also remember asking why they weren't required to use passwords
> that
> > > were longer, more complex, etc - and the answer was: "Passwords keep
> > > honest people honest - the vast majority (if not all) of compromised
> > > accounts have not come about by the way of 'cracked passwords' -
> they
> > > have come about by the capturing or surrendering of legitimate
> > > passwords.  Captured through malware or bogus websites - Surrendered
> > > through phishing or social engineering means."  I was skeptical
> until I
> > > started doing some research on my own - and I couldn't find more
> than
> > > 1-2 obscure instances where a password was actually 'cracked' - most
> > > were cases where passwords were immaterial, and the system was
> > > compromised by "going around the password" altogether.
> > >
> > > So - this does beg the question - even though longer passwords are
> > > theoretically harder to "crack", who cares....the bad guys are just
> > > going to go around them anyway....?
> > >
> > > Thoughts?  And thanks for the discussion....
> > >
> > > Michael
> > >
> > > -----Original Message-----
> > > From: The EDUCAUSE Security Constituent Group Listserv
> > > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig
> > > Sent: Wednesday, April 14, 2010 7:27 AM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Please do not change your password
> > >
> > > Unlikely that it'll change the audit book.
> > >
> > > Nor should it, necessarily.  The study is really predicated on
> consumer
> > > accounts, and doesn't address duty of care issues for data
> custodians,
> > > among other things.  I've rarely seen that mentioned over the last
> five
> > > months' discussion, since the paper was published.
> > >
> > > One particularly acute point on this topic is the paper's assertion
> > > that financial fraud loses the use nothing.  While true for some
> > > financial accounts situations for personal accounts, that is
> > > demonstrably not true for US commercial online bank accounts (see
> > > Krebsonsecurity.com for many examples), and as I recall isn't true
> for
> > > all personal banking accounts in other countries.
> > >
> > > All that said, it's a goodish paper, and we've all known that
> passwords
> > > are horrid for well over a decade, but substantial progress on
> password
> > > replacement is pretty poor, overall.
> > >
> > >     -jml
> > >
> > >
> > > -----Original Message-----
> > > From: Justin Sherenco
> > > Sent: 2010-04-14 08:04:59
> > > To: Justin Sherenco;The EDUCAUSE Security Constituent Group Listserv
> > > Cc:
> > > Subject: [SECURITY] Please do not change your password
> > >
> > >
> > > Hello,
> > >
> > > I came across an interesting article on password changes.  Author
> > > Cormac
> > > Herley of Microsoft makes a good case albeit just a cost-benefit
> > > analysis.
> > > I had to go back and think of why these types of policies were
> created
> > > in
> > > the first place.  I came to my own conclusion that they were created
> > > before the days of complex password (passphrase) enforcement and the
> > > ability to automatically lock out accounts after X amount of failed
> > > log-in
> > > attempts.
> > >
> > >
> > >
> > > Do you think he can convince the auditors?
> <http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_
> > > not
> > > _change_your_password/?page=full>
> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_n
> > > ot_
> > > change_your_password/?page=full
> > >
> > >
> > >
> > > Regards,
> > >
> > > Justin
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------
> > >
> > > Justin Sherenco
> > >
> > > Security Analyst
> > >
> > > 734-487-8574
> > >
> > > Easten Michigan University
> > >
> > > http://it.emich.edu/security
> > >
> > >
> > >
> > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
> > >
> > >
> > > --
> > > This message has been scanned for viruses and
> > > dangerous content by MailScanner, and is
> > > believed to be clean.
>
> -
> Mike Porter
> PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2

Attachment: smime.p7s
Description: