Chris Stoneff, Lieberman software: Fixing weak passwords
October 2010 by Chris Stoneff, Lieberman software
Passwords have been with us since before the age of the desktop PC but, as Chris Stoneff, senior product manager with Lieberman Software explains, administrators and their users need to rethink their password security policies if they are to be truly effective.
Passwords have been present in information technology since the earliest days, but it’s only in the last five years that computers have become powerful enough to crack common passwords in a sensible timeframe.
Web sites such as wpacracker.com show how easy it is to crack a WiFi password, and vendors such as Elcomsoft have released `password recovery’ applications that tap into the power of PC graphics cards to accelerate the `recovery’ (cracking process.
Today eight-character passwords can be cracked by consumer password recovery software in under an hour, and more experienced hackers armed with rainbow tables and other free tools can crack 14-character passwords – including alpha-numeric passwords with special characters – in less than three minutes. This makes it imperative for technology users to adopt longer, stronger passwords.
In fact, adding numeric characters to a password - creating a passphrase - can significantly increase the time needed by even the best cracking software, running on the latest six-processor equipped machine, to the point where brute force hacking of passphrases becomes impractical.
That’s not to say that hackers and their technology won’t advance in the near future - perhaps through fractal calculation techniques - to negate even this level of protection.
So what can be done in your organisation to encourage staff not to use weak passwords?
The answer is to encourage the use of stronger passphrases and mandate that users update their passphrases on a regular basis. These updates can provide some measure of protection should a passphrase ever be compromised – say, in a hotel, a railway station, or even in the office. It’s also advisable to configure rules to prevent users from cycling through old, previously used passphrases.
Many organizations set passphrases to expire within 60 days or less, and require both a minimum length, minimum age, and the use of special characters. These practices should be followed even in organizations where two-factor authentication (such as hardware tokens) are in place.
But what about the less obvious rules?
Within the IT department - and for Windows users - admins should set the group policy to disable LANMan hashes. LANMan hashes are notoriously easy to extract and crack using brute force methods or freely available rainbow tables that provide a pre-computed list of hashes. The policy is located under \computer configuration\windows settings\security settings\local policies\security options\network security, and is configured by changing the setting to ’do not store LAN manager has value on network password change = ENABLED.’
It’s also advisable to set a minimum passphrase length of 15 characters, as this is the critical length where, regardless of other policies, LANMan hashes cannot exist in Windows systems.
Administrators should also set all in-built admin accounts (e.g. administrator, root, sa, sys and so on) to have frequently updated passphrases that are different amongst all accounts. This particular recommendation purposefully breaks the peer-to-peer model of the Windows network and ensures that a breach of one system’s administrator account does not affect others.
It’s especially critical to ensure that no two administrator accounts ever have the same passphrase. Otherwise, should one of these “super user” accounts be compromised, other accounts and applications will be breached.
Also keep in mind that there are scenarios – such as restarting the computer in safe-mode - when disabled administrator accounts can be re-activated without user intervention. Therefore it’s essential to continuously audit all “super user” accounts in such a way that unusual activity is quickly discovered and the appropriate actions taken.
Fortunately there are software solutions available to help you continuously secure and audit the “super user” credentials required for administrator logins, application-to-application transactions and highly privileged computer services. An example of this is Lieberman Software’s Enterprise Random Password Manager.
So what guidance can you give end users?
Don’t include easily-guessed information in your passwords such as birthdays, family and pet names, or words for things in front of the computer system.
Also, don’t start with easily guessed words or common words such as `password’ and simply replace characters such as “a” with an “@" or “o” with a zero. Hackers know this strategy and their software knows it too.
Don’t use the same passphrase for multiple logins - and in particular don’t mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.
Never give anyone - including IT staff - your password. If an administrator truly needs your passphrase, change it before disclosing it, then change it back when they no longer need access and ensure you are present when they are using your account.
Don’t click links in emails from unknown senders, no matter how attractive or urgent they seem. And if your browser starts displaying pop-ups with unusual frequency or appearance – no matter where you are browsing - close your browser and scan your system for malware and adware.
And then there are the not-so-obvious points...
Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help safeguard your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.
If you do online banking, be sure to logout after each session. This invalidates the login session stored on your system. Then CLOSE all browser windows before leaving your machine. If you are using a tabbed browser, simply closing the single tab is NOT enough. You must close all browser tabs and windows to clear the cached data from further use.
Don’t allow browsers to store your passphrases for you, as not all browsers store your logins in a secure fashion.
Lastly, users should never configure a computer to automatically log them on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations. This mistake can give even the most amateurish of hackers both access to your system and knowledge of your passphrase – a potentially dangerous combination.
Effective passphrase security is often said to be a “state of mind,” and we’ve heard words such as ”holistic” used to describe the process.
In truth, all that is needed to create a more secure environment is the right set of automated building blocks – security policies – that are enforced by automated systems, audited and reviewed to account for current and future security threats.
To achieve real security it is also essential to collaborate with end users with no less zeal than hackers collaborate amongst themselves to develop the tools to put your organization at risk.
Remember to automate as many processes as you can to secure and audit your organisation’s passphrases. This decreases the likelihood of any weaknesses being overlooked, and increases the odds of your being alerted to any unusual activity.
Hackers think creatively when it comes to compromising your network, so developing a comprehensive strategy - using tested ”building blocks” – is the right way to help defend your digital assets.