Nettitude Blog

Does Enforcing A Strong Password Policy Make Any Difference?

Posted by Neil Lines on Aug 8, 2014 11:40:15 AM

Is it possible to go a week without hearing someone harp on about the importance of a strong password policy? It seems not if you have any connection to security, be it via work or just an unhealthy interest.

I apologise now, as reading blogs on the importance of a strong password policy, mostly results in a very dull read. The intention of this is to try and show a different slant on the issue, by sharing our experiences with a few password examples that we regularly encounter while performing internal penetration tests.

So, before we take a look at an example of a strong password (and it is worth noting that no one says a good password!) here are some examples of passwords that the Nettitude team has witnessed while performing penetrations tests.

  1. Password
  2. abc123
  3. 12345678
  4. And my all-time favourite, the single character of 1

Before you consider blaming a user for such password choices, they are not necessarily to blame. The internal security policy should ensure that such passwords were never an option in the first place!

Let’s now take a look at a complex password example. When researching advice on password complexity, the majority of sources advise the following:

  1. The password is at least eight characters long
  2. English uppercase characters (A - Z)
  3. English lowercase characters (a - z)
  4. Base 10 digits (0 - 9)
  5. Non-alphanumeric (For example: !, $, #, or %)

Looking at the above, it is possible to select P@ssword1 as a complex password. Does this look complex?

To show how easy it can be to crack a password – even one that meets common password complexity requirements – the following shows how an attacker can use post exploit scripts to perform deeper level attacks once a host is compromised. In this example, a post script has been used to collect the stored password hashes from the local Security Accounts Manager (SAM) database.

The (SAM) database in Windows XP, Windows Vista and Windows 7 is used to store users' passwords. The gained hash can be seen in example 1:

  1. IEUser:1000:aad3b435b51404eeaad3b435b51404ee:ead0cc57ddaae50d876b7dd6386fa9c7:::

The gained hash still requires cracking to help reveal the password. To accomplish this, Nettitude saved the hash as .txt file and using John the ripper password cracker with a wordlist that contains millions of commonly used passwords, we were able to crack the password in less than a second, as can be seen in example 2:

  1. root@kali:~# john --wordlist=/root/wordlist.txt --format=nt /root/Hash.txt

P@ssword1        (IEUser)

guesses: 1  time: 0:00:00:00 DONE (Fri Jul 25 16:02:51 2014)  c/s: 8709K

Implementing a strong password policy alone, will not resolve this issue. Ongoing education and awareness training regarding the evolving dangers is also required. Given the escalating threat level surrounding passwords, organisations would be wise to consider passphrases when using standard single word passwords, as these are longer and more complex.  Alternatively, two-factor authentication solutions, which enforce multiple means of identification at the login stage, will add another layer of complexity to an organisation’s defences.

To contact Nettitude’s editor, please email media@nettitude.com.

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts