Should you worry about password cracking?

re: Should you worry about password cracking?

Mark Twain — Thu, 13 Oct 2005 15:46:02 GMT

"Clearly the dynamics of the human-computer interaction mean that the password verifier probably increases security instead of decreasing it. Therefore attacks against the password verifier are probably also not interesting."

Huh?

re: Should you worry about password cracking?

jesper — Thu, 13 Oct 2005 20:43:00 GMT

What Mark? That wasn't clear? :-)

What I meant was that if you disabled cached credentials users have to maintain two accounts, one local and one domain account. Given how good humans are at remembering passwords, there is a really good chance they will use the same password on both. If an attacker can access the cached credentials he can also access the local hash. The local hash is identical to the one stored on the domain and can therefore be used in a pass-the-hash attack against the domain directly. The cached credential is not usable in this way and must be cracked, which takes a while; about three times longer than cracking a regular password hash. Therefore, storing cached credentials is likely to increase security, not decrease it, since it allows users to use a much stronger credential verifier on the domain member when not connected to the domain.

Does that clarify things for you? Send me a mail otherwise.

re: Should you worry about password cracking?

Vic Pollard — Fri, 14 Oct 2005 11:53:04 GMT

I'm intrigued that you think boiling down a phrase into something shorter is bad. Yes, I know pass phrases provide the strongest passwords and would never discourage their use. However, talking about regular end users, it's hard enough to stop them using all the usual weak passwords (variations of "password", their names, names of family members, their dog, their football team) and telling them they need a thirty character pass phrase isn't usually greeted with much enthusiam. Surely something which looks like a random mix of upper case, lower case and numbers is better than "passw0rd"?

re: Should you worry about password cracking?

jesper — Sat, 15 Oct 2005 14:38:08 GMT

Certainly. Something that is seemingly random is better than a single word, or a single word, with a simple substitution. However, a phrase, which is meaningful, is much stronger still, is just as easy to remember, and only marginally harder to type. I'm not saying you need thirty characters. 10 - 15 or so is perfectly fine for many uses, and chances are most people can handle that. We obviously have to keep this realistic, and length is an important factor in that.

BTW, the statistic that it is much easier to crack the short password derived from a phrase than the phrase it was derived from is real. I found this same advice in our internal password policy here at Microsoft. I fed the sample they used there into LC5 and cracked it using rainbow tables in 43 seconds. Since the phrase cannot be cracked by most current tools (and I won't live long enough to see it happen even if it were possible technically) I calculated the crack time for that based on a brute force attack: 1,500,000 years! Even if you had a dictionary of words and a pass phrase cracker the crack time would be on the order of several thousand years. Obviously, cracking is not that meaningful, but as an order-of-magnitude comparison it is still valuable. This lends huge creedence to the argument that you should use the phrase itself, not the derived password.

Frankly, I think this advice came out of the issue that in Windows 9x and NT 4.0 you could only use a 14-character password. In order to make those stronger someone came up with this idea, or at least adapted it. Today, with Windows 2000 and higher supporting 127 character passwords, this advice is simply outdated and wrong.

re: Should you worry about password cracking?

Vern Buis — Sun, 16 Oct 2005 03:22:19 GMT

Jesper, first, thanks very much for the help your provide via your columns! You mentioned service accounts and their passwords; I am also concerned about scheduled tasks. We have many that run backups and other maintenance, which I have tried (unsuccessfully so far) to move away from administrative accounts. Is there any way to run these under the Network Service account--if so, how do I enter it's password? Are passwords for scheduled tasks vulnerable to cracking? Where and in what form are they stored?

re: Should you worry about password cracking?

jesper — Sun, 16 Oct 2005 14:22:00 GMT

Vern, unfortunately, there is no way to run processes as Network Service under the task scheduler. That account is not a normal account in that sense of the word. You would be better off creating a limited account and run the task in that account.

I believe the credentials for scheduled tasks are encrypted using the data protection APIs and then stored somewhere. Possibly they are in the LSA secrets, but I am not completely sure. The credentials are not really vulnerable to cracking the normal sense of the word, although anyone who can run code as the system (or an admin) can theoretically get them in cleartext by doing exactly what the task scheduler service would do to get them.

BAD TROUBLESHOOTING 101 (part 4 of many): Give EVERYONE the opportunity for a short password!!

Shawn's résumé writing prevention tips — Tue, 22 Aug 2006 19:38:49 GMT

OK.&nbsp; Let me get this perfectly straight.&nbsp; I am not going to give you a new way to do your passwords...

BAD TROUBLESHOOTING 101 (part 4 of many): Give EVERYONE the opportunity for a short password!!

Shawn's résumé writing prevention tips — Thu, 14 Dec 2006 01:40:29 GMT

OK. Let me get this perfectly straight. I am not going to give you a new way to do your passwords like

cracking kerberos password | keyongtech

cracking kerberos password | keyongtech — Thu, 22 Jan 2009 07:32:56 GMT

PingBack from http://www.keyongtech.com/2508013-cracking-kerberos-password