Passwords and Cracking Info

Factual Questions
1

Just how likely is this? Here is my example. A couple of day ago I was doing some consulting for a hotel. I needed the controller’s password. She told me it was the carriage return. That’s what it was just hit the return key. I advised her that her password should be over 8 characters, a combo of words and letters and no dictonary words. She was like “Oh it doesn’t matter because even if someone tried to get in after two tries it shuts you out for 24 hours.”

So I finished up the job and was going over the results with the GM and told him. He told me his password was 1. He doesn’t see a problem. So I told him what I’ve been told how easy it is to crack passwords. (not to mention the fact he just told me his passwords) Now these two people have access to everything from Payroll, H/R reviews, budeting, corporate planning…

So just out of curiosity I went to google and did a serach for password cracking. I found a bunch of programs to buy. They said you could download a trial version, that will crack a password of up to two characters. So I wrote a simple Excel Sheet and passcoded it. I downloaded 5 different cracker programs and nothing. They couldn’t crack it though I had passcoded it with 1 or with nothing but carriage return.

My question is, is there a real concern about this. I mean perhaps a pro could do it, but is there a REAL danger of a guy just pulling a program off the internet. I’ve heard of brute force attacks but how could they work if after two wrong tries it kicks you out. In my last full time job, one of the things that bugged me was we had to pull assignments off the internet. And people constantly forgot their passcode. So they would get kicked out and then I would have to go into the server and override and reset it. And if I forgot my password, and got kicked out, (happended once I was on caps lock) I had to call the MIS person (who was only at the hotel once a week) to reset mine, so I could reset others.

And no, I’m not asking for how to crack passwords. I’m just wondering about the stuff my MIS person told me. (like make the password 8 character, use both letters and numbers etc…) Are they really valid?

So I guess just how easy would it be for a novice to get in? Is this being overhyped? I mean I was a bit shocked I download “supposed” programs that could crack an Excel password two or less characters, and all of them failed to detect the password of 1 or carriage return.

2

In many cases, crackers don’t try passwords by manually entering them at the password prompt. That takes too long and risks lockout. In many cases, they use other techniques to obtain a copy of the password file where the hashed passwords are stored. This is what the system compares to when you enter your password, and it may be a database, a flat file, or some other storage depending on the system. Once they’ve got that list, they can run their cracking tools against it offline.

Lockout is a good feature, but it’s not a cure-all for bad passwords. Aside from the fact that short passwords make dictionary attacks easier, they are also much more vulnerable to social engineering (as you found when these two dunces gave you their password when you asked). It’s very easy for their passwords to spread once they’re revealed, and it’s trivial to reveal them with something like shoulder-surfing if they’re so short.

It may not be appropriate to discuss the Excel crackers here, but just let me say that there are effective crackers but they are version dependent. The passwords are still “hard coded” in those files, but they’ve gotten a little smarter about it over the years. In the old days, you just had to open the EXE in an editor and look for the plaintext password at a certain offset, but it’s not that easy now (AFAIK, YMMV, I haven’t had to bother in several years).

3

No password at all or a 1 are terrible. There arguments why it’s no use for them to make more difficult passwords are wrong. Just because complex passwords aren’t perfect does not mean they are the same as a one character or blank password. The difference between the two is the difference between a “pro” cracker getting into your computer after a lot of planning and time spent figuring out how to do it and a person casually walking by and hitting enter and having access to the system.

In other words, the stuff your MIS person told you is definitely valid. Although password cracking programs are very effective, they generally require direct access to the hashed password files/database, either on the actual server (if account lockout is disabled), on a floppy, CD, etc. The bigger problem is social engineering because a lot of people are dumb enough to just tell a stranger their password.

When I first joined the place I know work, I ran a cracker on our password database and it got about 70% of the passwords in a matter of seconds. However, the majority of these were simply dictionary words, which is a big no-no. It eventually cracked more than 90% of the passwords after running for about 48 hours, but there were some that were complicated enough that it could only get part of the password. Most password cracking programs first use a dictionary attack before going to single character brute force.

4

IIRC, in the old days, when we were still telnetting and using elm and pine to read our emails in a UNIX environment on our university’s server, hashed passwords were publicly viewable documents. If you knew what you were doing, you could simply navigate through the the server to any user’s directory and pull the password file out of it.

Now, the password file alone doesn’t help you any, and the encryption was one way, so you couldn’t get to the password from the strange collection of junk letters you had. However, what these dictionary programs did was encoded whatever dictionary and database of common number, letter, and punctuation combinations you had with the encryption algorithm. It then compared your stolen hashed password with all the encrypted passwords it generated and if it found a match, voila.

That’s why dictionary words are so bad to use in passwords.

Granted, this was about eleven years ago, but it sounds as if the same techniques are being used today. Somebody please correct me if my explanation is in err.

5

A yes…the good old days…when you could remotely “finger” a username on a campus system across the country (as long as they were running on a complimentary platform) and receive a nice neat text output that included their social security number, their parents’ home address, etc…

On our system (at Humboldt State University, circa 1995 or so) finger output was a name and a word or two showing whether they were currently online or not. So I tried to finger an online friend who was attending Ohio State and I got WAY more than his connection status.

6

Quite a few years ago, even after we’d been telling people at work for years about good/bad passwords, one of our techs ran a very simple dictionary cracker and got over 50%. Shortly after, he installed a password-change program that insisted on better passwords (six to eight characters, and the first six have to contain at least two letters and at least one other character). He publicized the change with hypothetical identity-theft horror stories, and within a couple of weeks he was only cracking 10%. Unfortunately, he could probably still get nearly that many; some people just can’t handle passwords that are “too hard!”

7

But isn’t a lock out pretty effective against a brute force attack or a hacker program. It would only allow you two tries a day. And then the person using it would know something’s up as he couldn’t get in.

To me I seem paranoid. Heck I change all my passwords every two month and once a year I call in all my credit cards lost so I get new numbers on them so, even if the number is out there it won’t be usable.

Actually the controller had to give me her password, I told her to change it when I was done, the GM just told me his.

I was just wondering if the threat from an average joe is real. I can pretty much see how someone very experienced with computers could do this.

8

I’m sorry, but am I the only one who thought this was the raunchiest thing I’ve seen today?

Maybe it’s just me…
:: d&r ::

9

Howdy,

I recently attended a Microsoft security seminar in which a guy (I wish I could remember his name, he’s a great presenter) spoke about account lockout features available in Windows.

He described it as basically worthless and indicated that it would be easy for someone to turn it into a Denial Of Service attack - by interrogating the directory service for all the account names, then locking each of them out. He’s seen entire networks (1000s of workstations) brought down in this fashion.

His suggestion was to use a “passphrase” instead of a “password”. His argument was that his passphrase, “I walked my dog to the corner store”, would be far more effective against a brute force attack than any type of lockout feature, as well as being much easier to remember than “Ls8u3hch&@!(D”

Incidentally, many users wouldn’t interpret a lockout as “something is up”. Many interpret it as “oh crap, I forgot my password AGAIN, better get someone to reset it to something I can remember”.

Cheers,
Max.

10

The OP is sorta impossible to answer without qualifying the system and the method of encryption. I’ve been actually employed to crack passwords of terminated employees who passworded all their Office documents and refused to supply the password. In one case, I sat down and guessed their password in 2 tries (it was their girlfriend’s name, backwards. The first try was it forwards. People still worship me for that one.) ZIP cracking has been done as well by me. I’ve also written a brute-force MD5 cracker for my own purposes as well. Most of this is fairly straightforward and shows that these methods are not the best way to keep secure information.

I don’t think I’ve ever cracked a password unless it was for my job, or else to test my own passwords for ease of access.

A friend at work is an expert at cracking Windows account passwords, and has special tools he downloaded for that. I don’t know what they are but they do work.

11

How is a long phrase better than a short password against a brute force attack? Three tries and you’re out either way, right?

Besides, my users would hunt me down and gut me like a fish if I told them that they had to remember a whole freaking sentence instead of their usual “happy99” I’m just waiting for the day when the rules are set up to enforce really obnoxious passwords like M@rc(hag@!l (Marc Chagall, the artist)

12

Remember, unless the hacker has something against you in particular, or unless you are known to be in a position of responsibility, it’s not your id and password he wants, it’s an id and matching password that he wants. Hacking a system is much easier once you have a foot in the door. If he can get a list of ids (perhaps a company phone list), he can try the same trivial password on everyone in the company before moving on to the next. If he makes a good guess (maybe deriving a password from an “obvious” variation on the information in the list of ids) and his list is large, he stands a good chance of finding some dummy’s password.

Given that a hacker has broken in with one id and password, he may wish to muddy the waters (or find some idiot that happens to have “interesting” privileges that also doesn’t believe in good password) by getting a bunch of ids and passwords. These days, the encrypted password files are not as trivial to get at as in the old Unix /etc/passwd days, but if he can manage to get at the encrypted password file he can hammer at it with dictionary driven cracking programs without worrying about “three strikes, you’re out!” policies.

13

gotpasswords:

The point of the pass phrase approach is that you can easily remember some phrase like “Mary had a little lamb whose fleece was white as snow” and make your actual password “Mhallwfwwas.”

It’s damn hard to remember “Mhallwfwwas”, but it’s pretty easy to remember “Mary had a little lamb whose fleece was white as snow.”

The point is that people pick real English words as passwords because they can’t remember arbitrary strings. That’s a feature of human nature and administrators can whine all they want and it aint gonna change. What CAN change is their passwords, provided you accomodate human nature rather than fighting it. The passphrase approach is a decent way for a human to reliably generate (& later re-generate) long arbitrary strings.

Dictionary attacks rely on two techniques. One is to try logging on repeatedly using every word in the dictionary as a password, which works for the many systems that do not have password lockout policies set. Many don’t even log failed login attempts, much less read and act on the logs.

The alternative, if the bad guys can steal the encrypted password file, is to brute-force decyrpt. IOW, try all 10 billion keys and look for likely passwords among the 10 billion decypted strings.

But how does their decrypter know that this particular cadidate 10-byte decoded string is the right password? By looking to see if it’s an English word. If it is, then its a damn good bet you’ve decyrpted it sucessfully.

OTOH, when the decypter trys the key that results in “Mhallwfwwas”, it may well decide that’s just another bogus decryption and try the next key in sequence. Result: password not cracked.

As dmartin pointed out, the security of an environment is only as good as the weakest password among users at that authority level.

I cannot fathom how a management would permit (much less demand) weak password policy yet expect people to lock the front door when they go home at night, and yell at them if they leave the office unlocked.

The internet is about like those Capital One credit card commercials with the roving bands of Vikings or Visigoths showing up to sack your house. Somebody is sticking their skeleton key in the locks of your business (or home) every few minutes & jiggling the key to see what happens. If you’re not proactively dealing with that reality daily, you’re a goner.

The only good news is most of the bad guys have been pretty benign so far. But who’s to say the next big outbreak from North Korea or Al Qaeda isn’t a lot more destructive.

14

No. Cracking programs require access to the “encrypted” password (it might not necessarily be encrypted). The cracker then uses his program to operate on this (for example, the hash table), and when it produces a result he then goes to the machine and logs in on the first try. Lockouts forbid a human standing at the workstation trying every combination, but this was never an option for crackers in the first place. :slight_smile:

15

Duhh… I use “Mary had a little lamb…” passwords all the time, and it never occurred to me that they might be called passphrases. :smack: I also forgot all about someone stealing a shadow or password file and running crack on it, hoping to find something resembling words.

One of my system architechts does this every so often just to see how the users are doing. (He just goes over and gets it - no stealing needed.) Generally, not too good, so each time around, he adds some more entries on the banned passwords table. On the other hand, we are doing OK with root passwords - they’re all various decomposed phrases or names, like the m@rc(H@ga!l example above, and they’re only valid if the server is runnning in single user mode, which normally only happens on the day it’s first installed. Highly privileged user accounts (such as mine) are even tougher as the allowed password changes every 60 seconds on a two-factor token.

16

Yup.

Time-synced keys or smartcards are the only way to get serious about security. Passwords are like the locks on the front doors of our houses; good for keeping the neighbors’ kids out, but no match for any skilled determined opponent.

17

Both these schemes typically replace a good password with a token and a crappy password. For instance, they’ll turn off a mandatory twelve-character password and use a smartcard with a 4-5 character PIN. This changes authentication from “what you know” to “what you have” and makes theft a lot easier. They’re good, but it’s misleading to characterize them as the only way to get serious about security.

Security is a process and there is no single product which provides a panacea.

18

Amen. Our salvation rests in a layered approach. As with spam fighting. As with fraud protection. As with personal/corporate desktop security and anti-virus. Etc, etc…

A key layer can be conquered with the erosion of end-user ignorance.

Viva la revolution!!

19

The BIG problem with lockout systems as has been noted is that often it’s equally as useful to deny access to authorised users as it is to allow access to unauthorised users.

If I simply try to login to everyone’s account three times with random passwords. Then you can shut an entire organisation down until the admin re-allows all the passwords again.