Slashdot Mirror

← Back to Stories (view on slashdot.org)

Passwords May Be Weakest Link

Posted by CmdrTaco on from the no-shock-there dept.

blankmange writes "ZDNet is carrying a piece on network security and employee passwords: "When a regional health care company called in network protection firm Neohapsis to find the vulnerabilities in its systems, the Chicago-based security company knew a sure place to look. Retrieving the password file from one of the health care company's servers, the consulting firm put "John the Ripper," a well-known cracking program, on the case. While well-chosen passwords could take years--if not decades--of computer time to crack, it took the program only an hour to decipher 30 percent of the passwords for the nearly 10,000 accounts listed in the file." Sounds like enforced password formats and mandatory changing of passwords would help, but how many companies actually make them policy and enforce it?"

9 of 495 comments (clear)

  1. Re:I've heard this before... by janda · · Score: 2, Informative

    One word - SQLSnake

    The fact that you need "x" access in order to get to the password file is no protection against the password file being stolen and cracked.

    --
    Karma: Food Fight (Mostly affected by Date Plate).
  2. Re:Shadow passwords by Beliskner · · Score: 3, Informative
    Not so dramatic - the previous kerberos did give credentials to an unauthenticated session, quoting from here
    In order to mount an offline dictionary or brute force attack, some data that can be used to verify the user's password is needed. One way to obtain this from Kerberos 5 is to capture a login exchange by sniffing network traffic.

    In Kerberos 5 a login request contains pre-authentication data that is used by the Kerberos AS to verify the user's credentials before issuing a TGT. The basic pre-authentication scheme that is used by Windows 2000 and other Kerberos implementations contains an encrypted timestamp and a cryptographic checksum, both using a key derived from the user's password.

    The timestamp in the pre-authentication data is ASCII-encoded prior to encryption, and is of the form YYYYMMDDHHMMSSZ (e.g. "20020304202823Z"). This provides a structured plaintext that can be used to verify a password attempt - if the decryption result "looks like" a timestamp, then the password attempt is almost certainly correct. A password attempt that recovers a plausible timestamp can also be verified by computing the cryptographic checksum and comparing it to that in the pre-authentication data.
    The moral of this story is, kids, update your kerberos, as kerberos v5 is partially decapitated.
    --
    A caveman dreams of being us, the incalculable power and riches. We dream of being Q, then what?
  3. As a Security Admin all I can say is..... by oobeleck · · Score: 5, Informative
    Duh!

    People at work hate me for enforcing hard passwords. (And other assorted security measures)

    Basically I am a BOFH so I don't care.

    Unfortunately the common joe/jill user has no clue when it comes to computer security.

    You just have to resign yourself to the fact that people are not going to like you. (i.e. Security Nazi)

    A good way to help *push* them towards secure passwords is to crack your own systems passwords.

    You can use John the Ripper for Unix passwords OR l0pht crack for Windows systems.

    Nothing disturbs an end user more then when you email them their old password,

    (You have changed it to something hideous now...) and warn them that you can read their email.

    If you use Microsoft systems then use the password "Account Policies" options to increase password length/complexity values.

    If you use Unix try npasswd to enforce difficult passwords.

    The most important factor is to get Management buy in. Try cracking some VP's passwords during a "standard audit".
    Help them come up with a creative password. (First letters of a phrase work good. Throw in some numbers/metachars..)

    Once I had Management buy in it was smooth sailing. Just hold their hand for a while.

  4. Who cares about regular user passwords. by duffbeer703 · · Score: 3, Informative

    The problem users are bonehead sysadmins who use their authority to bypass the password policy or just don't set secure passwords.

    I'd be eating dinner and drinking expensive wine at a nice restaurant if I had a dollar for every time I've found an Oracle SYS password set to "change_on_install" or "oracle".

    The only solution to the password problem is to eliminate passwords. At my organization, we are moving to a smartcard-based system that removes the password problem completely.

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  5. one password for life by tapiwa · · Score: 5, Informative

    OK, one password for life might be a bit extreme, but if a user is on to a good thing, do not get them to change.

    I have never understood why people think that passwords suffer from wear and tear. I have never seen evidence to convince me that the longer one uses a password, the more vulnerable it becomes.

    I remember in university, one of my courses had a module in something about maintenance/replacement of machinery, from a managerial perspective. One thing I recall is that with a lot of mechanical equipment, the older it got, the shorter the mean time between failure.

    Digital equipment was almost the opposite. New equipment had a high chance of failure. If it survived the first couple of weeks, then it became almost impossible to predict failure rates. It was entirely random. Hence replacing aging mechanical equipment made absolutely no sense, whereas replacing digital equipment actually introduced a danger of failure .. .. ok I have oversimplified things a bit but you get the point right?

    Well, passwords are like that. If you force users to change their passwords, and they change it from John, to Luke, to Mark to Peter, you have not really done much.

    If you get really funky, and force them to change from adf0708 to 1433lkh to kh432lk to 23HGLY9 then you are beginning to get somewhere. The problem with these is that users then tend to write them down, because just as soon as they remember them off by heart, they are force to change them. As long as a password is written down somewhere, it is not secure!

    A more thorough plan is to get users to choose one password, and set rules on numberics, caps, etc.. (or better yet issue passwords). At the same time, run a basic brute force dictionary cracker on the password file(s) and force *all* users with simple passwords to change them. Keep forcing them until they choose something sufficiently hard (or issue them with one that they can't change for the first 3 months or something).

    Once users have a robust password, allow them to use it indefinitely!

    --

    Live today. Tomorrow will cost a lot more!

    1. Re:one password for life by edp · · Score: 4, Informative

      "I have never understood why people think that passwords suffer from wear and tear."

      Using a password does indeed weaken it. Every now and then, a user will accidentally type a password into a user name field, and that results in a log entry with the incorrect password in plaintext. Every now and then, some users will give their passwords to a coworker or relative to "borrow" their account. Some users will use the same password on multiple systems. When a cracker gets into a system, they are likely to record the password file and attack it, or to collect passwords via spoofing or whatnot.

      So, the longer a password has been in use, the higher the probability it has been compromised. The password suffers from wear and tear. Changing passwords refreshes them. A cracker that formerly had access to the system would have to start from scratch (especially if all passwords are changed simultaneously). Also, that cuts the coworker off from access to other employees accounts. They might not have done anything with that access now, but, someday, maybe they'll be fired and would like to take some sort of revenge. Since you cut them off by a policy of regularly changing passwords, they can't do it that way.

  6. Re:NT scores here by kervin · · Score: 3, Informative

    as someone else stated, PAM does this. More specifically, it's the cracklib PAM module, here's an intro http://linux.oreillynet.com/pub/a/linux/2001/10/05 / amModules.html.

    NT has actually the same type of deal. The dll that does the password check is just a generic password filter provided my MS, you can replace with your own. I wrote an NT password filter that catches the username and password of a user whenever they change their password and sends it to a an external program registered in the registry. Use it to keep Win2K and OpenLDAP server passwords in sync, http://acctsync.sf.net but the external program could obviously be anything.

    As usual, it's just that windows has a pretty GUI ( which should not be discounted btw. )

  7. Re:Obvious by Tackhead · · Score: 3, Informative
    > All you have to do is tell the BIOS not to boot from a floppy, and then put a password on the BIOS. The BIOS password has to be a good one though. Make it a strong random sequence of letters. Then, to remember it, put it on a sticky note on your monitor.

    Doesn't matter. A black hat will ignore the sticky note and just use the default or backdoor BIOS password.

  8. Use a password server by jregel · · Score: 3, Informative

    We used to store our root passwords on printouts that the sysadmins kept in their top drawer - obviously not secure.

    The solution I came up with was to build a dedicated Linux password server. Each user has a login and is a member of certain UNIX groups. Their "shell" is a custom C program that when the user logs in, prompts for a machine and username combination. This input is only displayed as asterisks (so people looking over the shoulder won't know what machine the user is looking up). The program then tries to read a text file for that machine and user. If the permissions are such that the logged in user is a member of the right group, then the contents are displayed for 5 seconds and then the screen is blanked.

    This allows us to restrict who has access to what machines. The password server is pretty secure with no unnecessary daemon processes running, root cannot login through telnet (you need to login using a second account to get a prompt to su), there is a bios password and lilo password and the box is physically secure in the server room.

    In the case of fatality, a paper backup is stored in a secured envelope and kept locked away with human resources who have permission to give it to a select few only (managing director, director of operations and IT managers).

    It's working well for us and has been live for about three months now.