What makes a secure password? How does Windows handle passwords? What points in this process are vulnerable? You would be surprised at the number of IT professionals who couldn't answer these kinds of questions. No matter what kind of security and monitoring your IT department has gone through the trouble of setting up, compromising the password system can bypass all of it. In many situations, an attack against an organization's password system can be completely undetectable.
In the first article of this series, we will take a look at the basics of password security as well as a few basic methods of attack. In the second article, we will focus on how Windows handles passwords and methods of attacking that process.
What makes a password secure?- The longer the password is the more secure it is
The first line of security for hacker attempting to guess a password is the sheer number of possible combinations. And just how many possible combinations is that? For our hypothetical case, we're going to simplify the math a bit. If we know the precise number of characters in the password then the formula looks like this:
(Number of possible characters) ^ (Length of the password)
Let's say our hypothetical password is made up of only uppercase letters and can be only one letter long. That gives us 26^1 or 26 possible password combinations. That wouldn't take us too long to guess. Now what if we allowed passwords with exactly three characters? That would leave us with 26^3 or 17,576 possible password combinations. Simply by forcing our users to remember 2 additional letters we increased the number of passwords our attacker would have to guess by a factor of 676! The lesson here is longer passwords are exponentially stronger passwords.
- The more types of characters in a password the more secure it is
Okay, let's go back to our one character length passwords. This time, instead of just uppercase letters we are going to allow uppercase letters, lowercase letters, and numbers. That gives us 62^1 or 62 possible password combinations. Now what happens if we throw in a non-alphanumeric symbol into our password? That gives us 94^1 or 94 possible password combinations. Now let's go back to the 3 character long password example above and this time we're going to allow users to add non-alphanumeric symbols into their passwords. That gives us 94^3 or 830,584 possible password combinations. Adding as many types of characters into your passwords as possible makes them much harder to crack.
- The more random a password is the more secure it is
Up until now, we've assumed the only way for an attacker to break a password is simply to try every possible combination of characters until they correctly guess the password. In reality, users have a difficult time remembering random passwords so they use common words in very predictable patterns. I would bet that at least half the users in your organnization use passwords in the form of [Dicationary Word][1 to 4 digit number]. Every time they are forced to change their password they simply increment the number and leave the rest of the password unchanged. This means that breaking a user's current or previous passwords could leave you a handfull of guesses away from breaking their future passwords after a forced password change.
Even the least sophisticated attacker is likely to try this avenue of attack first. The web is full of lists of word lists specifically geared towards breaking passwords. Many of the freely available password cracking programs are capible of taking in a list of dictionary words and trying permutations of each word until a password is cracked. Simply changing the letter case (PaSSwOrD instead of password) or adding numbers and symbols in the place of letters (p@ssw0rd instead of password) is no longer sufficient to stop an attack.
One possible defense is to urge your users to use passphrases instead of passwords. A password of, "My cat hates car rides!" is very difficult to crack using traditional methods. I would, however, caution your users to not use a passphrase that could easily be guessed by people that know them well. Also, avoid commonly used phrases.
- The more secret a password is the more secure it is
You would think this point is pretty obvious, but you would be surprised at how many users write down their passwords on post-it notes, give them to colleagues, or give them to IT staff over the phone. Passwords should be known by only the user to which they belong. In the ideal situation, even IT staff would not know a user's password. This is as much for the safety of the IT staff as it is for password security. While IT staff have the ability to reset a user's password for administrative reasons, this leaves a log trail. In the event a user's account is compromised, the logs can prove the innocence of the IT staff. This is not possible when users provide their password to others.
Enforcing password policiesWherever possible, you should enforce your company's password policies with technical controls. Where that is not possible you should set up a training program to make users aware of the policies, periodically audit compliance with those policies, and enforce consequences for breaking those policies. Active directory provides settings that control minimum password length as well as ensuring passwords meet a minimum complexity requirement. Unfortunately, active directory does not provide a means of ensuring passwords are not vulnerable to a dictionary based attack. There are several products that add this functionality if your organizations security needs warrant the expense. Ensuring that your users do not write down or share passwords requires constant user training, reminders, and most importantly support from management.
