Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Corporate Passwords Part 1

With the vast amount of research and content that was doneby SpiderLabs for the Global Security Report, it made it impractical to includeall of the content that was written for this year's password study. But instead of letting that research go towaste, myself (Garret Picchioni) and Barrett Weisshaar are going to be offeringthe unabridged edition of the password study in a series of blog posts in hopesthat someone can find the research interesting and valuable to their organization…orat the very least some good bathroom reading material.

This month, we lookat part 1 of the study. In order tobetter understand the choices users make in passwords, we must firstacknowledge that many times passwords are entirely unnecessary. A poorlydesigned application with an excellent password is still a poorly designedapplication.


Passwordchoice continues to be an important facet of security that cannot bediscounted, and is often overlooked. A perfectly otherwise secure applicationcan be brought down by a single poor password choice, no matter the bestefforts of the developer. They can be dressed up, accompanied by additionalfactors, chained by constraints and minimums, but the base principles ofpasswords are still essentially intact.

Inthis year's study, we build off of the lessons of last year and return with afresh set of expanded data. For those of you that read last year's report, ourprocess will seem quite familiar. However, as with any effort we've continuallyimproved with both our data set (in both efficiency and quantity) as well asour analysis.

Beforewe get to the details, it's important to again look at a few basic tenets ofpassword choices. In some cases, thestrongest password choice may not matter due to the weakness of the underlyingsystem, whether it is a cryptographic weakness, exploit, or externalfactors. Even in mechanisms with solidtechnological foundations, a variety of human fallibilities contribute toundermine the security of the system as a whole.

Password Weaknesses Unrelated to Password Choice

Bypassing Passwords Entirely

Evenusers who are the most proactive in ensuring their account safety can oftenhave their accounts compromised by other attack vectors unrelated to theirpassword selection, thus making their complex password irrelevant. The responsibility for preventing an attackerfrom utilizing these vectors is shared between both the user and an ITAdministrator.

Ifa user's machine is vulnerable to system exploits as a result of missingcritical operating system patches, it enables an attacker to utilize that avenueto compromise a system and completely bypass the need for a valid useraccount. An ever-present example isstill the MS08-067 SMB vulnerability for Microsoft Windows 2000, XP/Server2003, and Vista/Server 2008. This5-year-old vulnerability that has become trivial to exploit, enables anattacker to compromise a system in matter of seconds without requiring a singleuser's password.

However,even patched systems can become compromised as a result of 3rd partyservices being installed on a user's system. This can range from unpatched services such as an Apache Web Server thatenables a user to exploit a buffer overflow, or more commonly seen, remoteaccess tools that bypass a user's login credentials or that only require asecondary password. VNC (being a perfectexample of this) is a commonly used remote desktop utility but unfortunatelypresents security problems that can often get overlooked. VNC Free Editions, often installed by theend-user without IT staff knowledge utilize separate non-policy passwordsystems for console access. VNC willfunction normally even without the secondary password, making connecting to aremote system by an attacker easy. VNCFree Edition also does not encrypt communications between the client and servermaking a user's machine susceptible to Man in the Middle style attacks that cancapture a VNC password, if one is even set.

Weakness ofCryptographic Methods

Otherfactors that can contribute to an account compromise deal with thecryptographic algorithm used to encrypt a password. If a weakness exists in the algorithm, that'swhat's taken advantage of in an attempt to crack as password as opposed toresorting to attacks on the password itself.

Anextremely common example of this is the use of LAN Manager (LM) Hashes to storeWindows passwords. LM Hashing isconsidered to be a legacy hashing algorithm but is still in use in manyenvironments today. It was used as theprimary hashing algorithm for pre-Windows NT systems and carried over andenabled by default in later versions of Windows in order to maintain legacysupport. LM Hashes can be cracked withrainbow tables (files containing pre-computed mathematical functions forquickly solving cryptographic hashes) in a matter of minutes because of the waythe hash is designed. When an LM hash iscreated the user's plain-text password is converted to all uppercase charactersfollowed by null-padding the password up to 14-bytes. This "fixed-length" password in actuality istwo 7-byte DES encrypted hashes. Thus, when cracking, instead of needing tocrack the entire password, an attacker can crack each half individually thenmerge the two results together.

Microsoftfinally disabled LM hashing by default starting with Windows Vista and Server2008 but is still commonly seen in Windows XP/2003 implementations. The one saving grace in places were LMhashing is enabled is that an LM hash has a 14 character limitation. If a user's password is over 14 characters,Windows will not hash the password with LM and only hash using NTLM. Other examples where attacking thecryptographic weakness is better than attacking the actual password itself isfor WEP enabled wireless networks.

That's enough for now – until next time, when your developersays they have their own custom written "proprietary" encryption algorithm, oryour sysadmin says they need VNC open on the external perimeter, make sure toflip a few tables and call them on it. If it weren't for them, it's less likelywe'd be having a chuckle at your password where you spelled your pet's namebackwards and added a "1".

-Garret & Barrett