After one of my recent articles I ended up in a discussion with someone over blocking easy attacks by unsophisticated attackers. For example, I said you should not worry about Rainbow Crack. What is important is protecting the password hash database because the hashes are plain-text equivalent. If passwords get too difficult to crack, the bad guys will just build better tools that can use hashes directly in the authentication sequence. Of course, you should also ensure that the passwords are resilient against guessing and cracking the authentication sequence, but those are much easier to deal with. This means though that 14+ character passwords are not really all that important. 8-9 characters are fine for most purposes.

The argument against my claim is that unsophisticated attackers, say malicious internal users, can still simply go download Cain and, since it has a cracker built in, take over your network. If we ignore the issue that these users would already be administrators, this argument still hits the nail on a particular onerous head: easy access to rudimentary tools that create criminals of opportunity. My approach to dealing with the issue is a bit different though. I tend to focus on two things.

  • First, run the systems in such a way that you do not expose sensitive info, such as high privilege credentials on low privilege systems, and then protect the sensitive systems appropriately. That makes the crimes much more difficult to perpetrate. It also makes the systems harder to run, which is why we find so few environments doing it.
  • Second, focus on defeating the most skilled attackers the environment is likely to face. While it may be a bit more difficult to do so it will also defeat the attacks by the less skilled criminals of opportunity.

If we take the case of Rainbow Crack, there are two ways to defeat it. The first is to use very strong passwords (or pass phrases) which are unlikely (but not guaranteed) to be in the tables. The second is to stop the bad guys from getting your password hashes. No hashes, no cracking.

This is why I think we need a change in tactics in security. This field has spent the past 20 years responding to attacks by raising the security bar to just above where the attackers are at the time we raised the bar. This approach means we are always playing catch up to the newest attack. We raise the bar, the attackers jump over it. We raise it again, they jump over. I feel like I am in an old Basic program:

10 gosub detectNewAttack

20 gosub raiseSecurityBar

30 goto 10

How do we get out of this cycle?

Take an example: if you are paranoid, like me, you would agree that it is only a matter of time until Cain and friends, in "the interest of security," will include pass the hash functionality. After all, since everyone will use 15 character passwords soon (and if you believe that I have some land I want to show you ) their current technique will no longer work. That means that if we primarily focused on mitigation number one above we will now once again playing catch up, and we will have made all our users mad in the progress by forcing them to use horribly long passwords without much help on how. On the other hand, if we thought differently about the problem and worked on fundamental design and secure operations instead we would stop not just the current attacks, but the new ones. Stopping current attacks is nowhere near as interesting as stopping future ones.

Don't misunderstand me here. Strong passwords are still extremely important, and I an one of the loudest advocates of pass phrases. However, I also think that as security professionals we need to stop playing catch up. We need to stop reacting to every new move the bad guys come up with and start anticipating and get ahead. The information security discipline is heading for a crisis unless we start working on strategic security, not just tactical response. We need fresh thinking, new thought, and partnerships with those who use our systems. The bad guys know how we operate and they keep using that against us. To get out of this situation we need to stop just raising the bar and instead move it to a new playing field; one where we get to write the rules.
 
These are of course my opinions, and you are free to disagree, but it explains why I think the way I do.