Is it possible to go a week without hearing someone harp on about the importance of a strong password policy? It seems not if you have any connection to security, be it via work or just an unhealthy interest.
I apologise now, as reading blogs on the importance of a strong password policy, mostly results in a very dull read. The intention of this is to try and show a different slant on the issue, by sharing our experiences with a few password examples that we regularly encounter while performing internal penetration tests.
So, before we take a look at an example of a strong password (and it is worth noting that no one says a good password!) here are some examples of passwords that the Nettitude team has witnessed while performing penetrations tests.
- And my all-time favourite, the single character of 1
Before you consider blaming a user for such password choices, they are not necessarily to blame. The internal security policy should ensure that such passwords were never an option in the first place!
Let’s now take a look at a complex password example. When researching advice on password complexity, the majority of sources advise the following:
- The password is at least eight characters long
- English uppercase characters (A - Z)
- English lowercase characters (a - z)
- Base 10 digits (0 - 9)
- Non-alphanumeric (For example: !, $, #, or %)
Looking at the above, it is possible to select P@ssword1 as a complex password. Does this look complex?
To show how easy it can be to crack a password – even one that meets common password complexity requirements – the following shows how an attacker can use post exploit scripts to perform deeper level attacks once a host is compromised. In this example, a post script has been used to collect the stored password hashes from the local Security Accounts Manager (SAM) database.
The (SAM) database in Windows XP, Windows Vista and Windows 7 is used to store users' passwords. The gained hash can be seen in example 1:
The gained hash still requires cracking to help reveal the password. To accomplish this, Nettitude saved the hash as .txt file and using John the ripper password cracker with a wordlist that contains millions of commonly used passwords, we were able to crack the password in less than a second, as can be seen in example 2:
- root@kali:~# john --wordlist=/root/wordlist.txt --format=nt /root/Hash.txt
guesses: 1 time: 0:00:00:00 DONE (Fri Jul 25 16:02:51 2014) c/s: 8709K
Implementing a strong password policy alone, will not resolve this issue. Ongoing education and awareness training regarding the evolving dangers is also required. Given the escalating threat level surrounding passwords, organisations would be wise to consider passphrases when using standard single word passwords, as these are longer and more complex. Alternatively, two-factor authentication solutions, which enforce multiple means of identification at the login stage, will add another layer of complexity to an organisation’s defences.
To contact Nettitude’s editor, please email firstname.lastname@example.org.