Hello All,

I have been recently working with a security tool known as <snipped, pending review>. I’m sure many of you have heard of this, for those of you who haven’t here is a brief look at what it does.

Instead of trying to brute force a password (LM/NTLM in my case, for Windows passwords, but it will also generate MD5 and SHA-1) it will generate tables of pre-generated hashes and using a reduction algorithm match up a hash of a password with the plaintext password. Normally this can take up to several months with traditional brute forcing attempts, using <this device> I was able to obtain a 7 digit alphanumeric password (mixed cased) in about 4 seconds.

It takes about 2 days to generate the necessary <table information> to break any 1-7 length alphanumeric password, and about 3 months to generate a table to break 15 digit (alphanumeric + symbols) password. Once created passwords can be broken with about 99% certainty in a few minutes.

In order to obtain a password hash one must have access to the SAM file (where Windows stores the LM/NTLM hashes). Since Windows is always using this file you cannot copy it onto a USB key or over the network. You can however dump the hashes from the copy running in memory using PWDUMP2/3/4 or SAMDUMP on the local machine. Or you can run PWDUMP4 over the network and obtain other machines SAM files.

The average user can however dump the SAM file and get a Local Administrator password with ease. Knowing this will let them install anything they like, key loggers, network sniffers or even root kits.

Ok, so anyone can get the Local Administrator password really quickly, what can be done about this? Use pass-PHRASES, in other words, make it longer. Windows 2000/XP+ can store passwords up to 127 characters long. So instead of having your password be “x3i(cs0” (I’m sorry if this is your password) which will be broken by <this device> in a matter of minutes use “My New Password Is Really Good!” (with the quotes) which is 34 characters long with symbols and mixed case.

Creating a <results table> for 30+ character/symbol passwords as well as traditional brute forcing techniques will take a lifetime. Making the pass-phrase much more secure.

I bring up these points not to cause panic, but to start a discussion. This all came as news to me when I started researching it, so I thought I’d pass the knowledge along. I’m sending the same draft to the security experts at my local school as it is more fitting for a college environment. But it came as a surprise that my “secure” password wasn’t secure at all.

As a heads-up, this thread is currently pending admin review. This isn't because you've done anything wrong, but because we've always been sensitive about revealing this sort of exploit-related security information on Geek/Talk due to the abuse it can encourage. I will remove this notification if the thread is approved in its current form. Otherwise, some minor snipping may occur to remove device names and so on.

Thanks, Matt, for this reminder. Even the most hardened, security-conscious Geek can allow himself or herself to slip into a state of "password lethargy" every now and then. While most of us are conscious of the need to use different passwords in association with different services and to mix cases in long alphanumeric passwords, these reminders often highlight that even those standard procedures are insufficient when dealing with mission-critical accounts, root passwords or the protection of highly sensitive data.

Czar,

I wouldn't have been surprised if this whole thread had been deleted, because of the reasons you stated.

My intent was not to get people interested in breaking passwords, but just to start a discussion.

I thought a longer post with more details would generate more discussion then "short passwords are easily crackable."

I guess to sum it all up, even a 15 character password with all sorts of symbols and numbers, which even I would have considered a very secure, isn't safe anymore.

Passphrases, which are easy to remember, that are 30+ characters are "the new wave" of how things should be done.

Maybe this is where biometrics or high-grade multiple-access passwords will start to make in-roads.

That is, while it's easy to suggest that people use long pass phrases, the fact that they'll still be at risk if they use the same password in multiple services means that a person will now have to juggle a series of unwieldy phrases. Those with failing memories may be tempted to write the phrases down, or to keep them in a txt file or unprotected document on a PC, phone or PDA, which simply increases the risk of theft.

I'm playing devil's advocate a little here, but if people choose not to properly manage their passwords, or if they find it difficult to remember a series of unrelated phrases, fingerprint or iris recognition may be the only feasible way (in the short term technological outlook) to ensure maximum consumer-level protection.

Fingerprint or iris recognition might be something for the future. But, there is something new possibly in the works right now.

A couple of days ago RSA Security announced a plan for one-time passwords.

They are going to submit the plan to the Internet Engineering Task Force and the Organization for the Advancement of Structured Information Standards.

The plan is being supported by such companies as Microsoft Corp., Adobe Systems Inc., Check Point Software Technologies, Juniper Networks Inc. and Cisco Systems Inc.

It is a bit complicted but as I understand it, knowing or finding a password wouldn't do any good since the password found would have already been used and couldn't be used again.

This will be something worth watching especially when it is explained how the public will be able to use this once it is deployed, whenever that might be.

Czar - Assuming all the devices use a good hashing function (remember, SHA-1 256 just got broken, as did MD5) then a long passphrase will be unbreakable everywhere. But as we all know they don't :(

Larwee - One time pads are great! Intel uses a system like this for their VPN. You get a card which displays a number, (which changes every minute) you have to enter this along with your password in order to login, so knowing a password is worthless. Hopefully a standard will evolve annd get used widely with enough huge company backing it.

Biometrics is excellent as well, but last time I checked the current fingerprint scanners could be fooled with a gummy bear :) But it has been a while.

My only worry aboutu biometrics is that I can NEVER change the password. If someone takes my finger (yes I have bigger problems to worry about) I can't change my other fingers to avoid intrusion.

Matt

I remember the old Gummi Bear incident. Imagine a multi-million R&D investment being set back by a penny worth of candy. Nasty stuff. :D Fortunately, newer readers often detect electrical currents and/or body heat as well as the actual print layout, so as to avoid the nightmares associated with finger print lifting, severed fingers and modeling from a mold. Some also require the use of a password in conjunction with the print which, while seemingly taking us back to square 1, allows for a fairly simple uniform phrase to be used in consumer-grade protection situations due to the two-layered approach.

Nevertheless, iris reading is still generally accepted as superior to finger prints. It will be a while until iris readers drop to a price that makes them viable in the consumer market, however.

The one-time password systems sound fantastic. I remember when Mastercard released one-time card numbers as a bit of an experiment a while back. They were obviously limited by a finite availability of numbers, by inconvenience related to their system and by growing confidence in contemporaneous cert data encryption technologies. As a broader-application device, the one-time concept seems more useful since it combines a physical layer with the password and leaves a very limited window available to would-be crackers who manage to get their hands on a device.