With the vast amount of research and content that was done by SpiderLabs for the Global Security Report, it made it impractical to include all of the content that was written for this year's password study. But instead of letting that research go to waste, myself (Garret Picchioni) and Barrett Weisshaar are going to be offering the unabridged edition of the password study in a series of blog posts in hopes that someone can find the research interesting and valuable to their organization…or at the very least some good bathroom reading material.
This month, we look at part 1 of the study. In order to better understand the choices users make in passwords, we must first acknowledge that many times passwords are entirely unnecessary. A poorly designed application with an excellent password is still a poorly designed application.
Introduction
Password choice continues to be an important facet of security that cannot be discounted, and is often overlooked. A perfectly otherwise secure application can be brought down by a single poor password choice, no matter the best efforts of the developer. They can be dressed up, accompanied by additional factors, chained by constraints and minimums, but the base principles of passwords are still essentially intact.
In this year's study, we build off of the lessons of last year and return with afresh set of expanded data. For those of you that read last year's report, our process will seem quite familiar. However, as with any effort we've continually improved with both our data set (in both efficiency and quantity) as well as our analysis.
Before we get to the details, it's important to again look at a few basic tenets of password choices. In some cases, the strongest password choice may not matter due to the weakness of the underlying system, whether it is a cryptographic weakness, exploit, or external factors. Even in mechanisms with solid technological foundations, a variety of human fallibilities contribute to undermine the security of the system as a whole.
Password Weaknesses Unrelated to Password Choice
Bypassing Passwords Entirely
Even users who are the most proactive in ensuring their account safety can often have their accounts compromised by other attack vectors unrelated to their password selection, thus making their complex password irrelevant. The responsibility for preventing an attacker from utilizing these vectors is shared between both the user and an IT Administrator.
If a user's machine is vulnerable to system exploits as a result of missing critical operating system patches, it enables an attacker to utilize that avenue to compromise a system and completely bypass the need for a valid user account. An ever-present example is still the MS08-067 SMB vulnerability for Microsoft Windows 2000, XP/Server2003, and Vista/Server 2008. This5-year-old vulnerability that has become trivial to exploit, enables an attacker to compromise a system in matter of seconds without requiring a single user's password.
However, even patched systems can become compromised as a result of 3rd party services being installed on a user's system. This can range from unpatched services such as an Apache Web Server that enables a user to exploit a buffer overflow, or more commonly seen, remote access tools that bypass a user's login credentials or that only require a secondary password. VNC (being a perfect example of this) is a commonly used remote desktop utility but unfortunately presents security problems that can often get overlooked. VNC Free Editions, often installed by the end-user without IT staff knowledge utilize separate non-policy passwords stems for console access. VNC will function normally even without the secondary password, making connecting to are mote system by an attacker easy. VNC Free Edition also does not encrypt communications between the client and server making a user's machine susceptible to Man in the Middle style attacks that can capture a VNC password, if one is even set.
Weakness of Cryptographic Methods
Other factors that can contribute to an account compromise deal with the cryptographic algorithm used to encrypt a password. If a weakness exists in the algorithm, that's what's taken advantage of in an attempt to crack as password as opposed to resorting to attacks on the password itself.
An extremely common example of this is the use of LAN Manager (LM) Hashes to store Windows passwords. LM Hashing is considered to be a legacy hashing algorithm but is still in use in many environments today. It was used as the primary hashing algorithm for pre-Windows NT systems and carried over and enabled by default in later versions of Windows in order to maintain legacy support. LM Hashes can be cracked with rainbow tables (files containing pre-computed mathematical functions for quickly solving cryptographic hashes) in a matter of minutes because of the way the hash is designed. When an LM hash is created the user's plain-text password is converted to all uppercase characters followed by null-padding the password up to 14-bytes. This "fixed-length" password in actuality is two 7-byte DES encrypted hashes. Thus, when cracking, instead of needing to crack the entire password, an attacker can crack each half individually then merge the two results together.
Microsoft finally disabled LM hashing by default starting with Windows Vista and Server2008 but is still commonly seen in Windows XP/2003 implementations. The one saving grace in places were LM hashing is enabled is that an LM hash has a 14 character limitation. If a user's password is over 14 characters, Windows will not hash the password with LM and only hash using NTLM. Other examples where attacking the cryptographic weakness is better than attacking the actual password itself is for WEP enabled wireless networks.
That's enough for now – until next time, when your developer says they have their own custom written "proprietary" encryption algorithm, or your sysadmin says they need VNC open on the external perimeter, make sure to flip a few tables and call them on it. If it weren't for them, it's less likely we'd be having a chuckle at your password where you spelled your pet's name backwards and added a "1".
-Garret & Barrett
