Full Contact Computing
Bare knuckles, no holds barred computing

Is The War Against Password Cracking Lost?

We use passwords every day, usually multiple passwords for multiple applications / operating systems, and new security rules and policies imposed by administrators and the software itself demand that our passwords be ever more complex and obscure. Is there an end in sight?

The reason I ask the question is that password cracking capabilities seem to be advancing geometrically, to the point where any password is crackable. Google “password cracking” and you come up with over 1.5 million hits, many of them links to download free and very sophisticated utilities that will not only crack passwords but will sniff unencrypted passwords from network traffic, log your keystrokes as you type in your password, and “recover lost passwords”. If you don’t want to read how to do it, YouTube has video tutorials for your viewing pleasure.

And I can personally attest that these tools do work. A few years ago I inherited a dozen computers that were stacked in a corner in the back of the server room. Rather than let them sit and become obsolete, I booted them up and found them to be password-protected with no one in possession of the passwords. Reinstall XP? Not a chance. I downloaded one of these free tools and went through all of the admin passwords like the proverbial hot knife through butter. And Windows is not alone. I once worked with a Unix administrator who constantly ran various hacking tools against his Unix servers to help him determine security weak points. I remember him with a sick look on his face telling me that a certain tool had successfully cracked the entire Unix password file, including root. 

Trying to be more scientific, and with a larger sample population than my own experience, I searched the Internet to try to determine the speed with which these cracking tools work. That proved to be a difficult task. I could find very little on the actual cracking speed of any of these tools, so I settled on theory. This page http://www.lockdown.co.uk/?pg=combi&s=articles  gives a nicely-formatted maximum time required to crack passwords of varying complexity using a simple brute-force attack. Using all of the keyboard characters, 96 of them, with an 8 character password, should take a high-horsepower computer 2-1/4 years to crack. Sounds pretty secure, right? Well, maybe not. First, that is maximum time to crack. Second, both the hardware and the software are getting faster. http://www.beowulf.org/overview/index.html  details how to build your own supercomputer out of a number of common PCs, and botnets can be created from shared computer resources   http://en.wikipedia.org/wiki/Botnet  . More computing power means more passwords that can be tried, and cracked, per second. 

And the crackers are getting smarter. Rainbow hash cracking http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html    allows a hacker to crack passwords faster by removing a huge amount of the load of the brute force attack. In this article, which is over two years old, the password “Fgpyyih804423″ is cracked in 160 seconds.

So do we need to rethink our password policies?

If passwords can be cracked in minutes or seconds, do we need stronger passwords or is it simply a lost cause, where no password will be obscure enough? On the other hand, if we have to remember many passwords of absolutely meaningless hash, that will inevitably lead to increased administrative effort and the potential loss of critical data and systems. People will write these passwords down on Post-It notes and leave them available to anyone who can open their top desk drawer. And they will forget them.

I remember hearing of an incident in the mainframe days in which the system admin – the only guy with the password – died in an automobile wreck. The company suffered horrendous financial losses and almost went out of business until IBM finally just had to reinstall the operating system and the company had to recreate its records from paper copies. Even if this story isn’t true, it could happen. How many people know the root password in your office?

I would suggest that we take a deep breath and look at the whole picture. A big part of that picture is the realistic hacker threat, and study after study reveals that the biggest threat to a company’s sensitive data is from the inside. http://www.nymity.com/Free_Privacy_Resources/Previews/ReferencePreview.aspx?guid=157ee130-7028-470d-aef4-da2544c0174d  hackers and social engineering cause only 3% of data breaches; http://netcentricsecurity.com/articles/2010/01/15/malware-malicious-insiders-top-2010-threats.aspx?admgarea=news  “Malicious insiders were listed as the top threat for 2009, but have fallen to the  No. 2 spot for 2010”, with careless employees as the number 4 threat; http://www.computerweekly.com/Articles/2009/08/26/237455/insiders-cause-most-it-security-breaches-study-reveals.htm  “Insiders cause most IT security breaches, study reveals”; and http://perimeterusa.com/blog/tag/insider-threat/ , with a number of articles, such as “How much is your client data worth to a malicious employee?”, “Trojans installed in ATMs likely by malicious insiders”, “Malicious Insider Breach Stories”, and so on.

Given that we can only do so much to limit employee access to data without hindering their productivity, I think we need to look more closely at the physical security of the data that is restricted.  

For the typical server room, there is a mag card or cipher lock and video cameras in the room itself. To access the server remotely, the employee needs at least a low-level login to even begin to upgrade it to root access or to find the password file to crack. Overall, it has been my experience that access to root/database/admin users is extremely tightly controlled. 

For a typical Windows machine sitting on a desk, however, the security is much lighter. As I found out, simply booting the PC with a cracking software CD in the drive will work remarkably well. The question is: will that gain anything? Obviously the answer is going to be different for every company. Is sensitive data stored on the PC or is it really used mainly as a terminal to interact with a server, where the sensitive data is actually stored? If the PC does contain vital data, maybe it should be locked up at night. This may entail locating the PC in a room with a lockable door, software that requires a password and possibly a time lock that restricts access to normal working hours, biometric locks that read fingerprints, and/or locking computer cases that prevent access to the CD/DVD and USB, to prevent copying data to or booting from these media.

Basically, I am advocating increased physical security and a diminished reliance on obscure passwords, which apparently don’t work very well in the first place. Passwords should certainly be sophisticated to a point; “password1” won’t do, but “R66$%be8&5_*^” is over the top. Also, a more reasonable security policy should include an audit of what sensitive data is stored where, along with a justification of why it has to be stored on less-secure systems such as laptops and desktops.

And to end on a humorous note, I once worked with a government organization that required users to lock their PCs (CTRL-ALT-DEL) whenever they left their desk. One of the computer people had an evil streak, and whenever she found an unlocked PC, she would change the system colors to black text on a black background. Try getting that set back to something legible!


No Responses to “Is The War Against Password Cracking Lost?”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: