Welcome to AppFail
You last visited: never

Welcome to AppFail

Posted on 2009-05-01

Security Post

Everyone is supposed to know that they need to select a secure password, and not write it down. However many things that people know (or think that they know), and are told about password security are simply not true. Many times these things were true at some point in the past, however they no longer apply. Yet they continue to be perpetuated by stale security policies, along with a rigidness and resistance to change that can do more harm than good.

The most obvious example of this is password expiration policies. Periodic password changes were initially implemented to combat cracking. It was observed that it would take a sufficent amount of time to crack an encrypted or hashed password, and that if you changed the password every 30 or 90 days, that the cracker would be tring to hit a moving target, and this would most likely prevent the cracker from being able to find your password. Such is no longer true, with newer hashing algorithms and a strong password, it would take countless computers 1000s of years to crack your password. This causes us to look at what security a password actually provides and what we can do to keep unauthorized people out of our systems.

There are a number of ways in which your password can be compromised:

The most common case of password disclosure is when passwords are stored or transmitted 'in the clear', that is when they are not encrypted, hashed, or otherwise protected. Take the case of the standard FTP protocol that many people use to upload files to their websites. When you use FTP your username and password are transmitted in plain-text, so anyone listening on the wire (or in the air in the case of WiFi) can see your username and password, and easily deface your website, and since the password is likely common to the email address with your hosting company, they can also read your email (and use this to reset your passwords on other sites, such as eBay and PayPal), and otherwise cause havoc. The simple solution to this, is to use a secure protocol, such as SFTP (FTP over SSH), or SCP (RCP over SSH), or some form of encrypted FTP (FTP over SSL, FTP TLS, etc). My favourite client is FileZilla, which supports all of these protocols and is open source, and it also supports 'Secure Mode', which we will talk about in a second. Another common way for your password to be disclosed is when you check that little checkbox to 'save' or 'remember' your password. If you are not required to authenticate (such as a Master-Password) to access that password repository then it is not secure. Personally, i use an APC Biopod fingerprint scanner (watch the Biopod, and other fingerprint scanners be defeated by the MythBusters from the Discovery Channel), and it stores all of the passwords that i choose to save in a vault, that can only be accessed after I have authenticated with my finger print. It can also do multi-factor authentication, where i am required to provide BOTH a Master-Password AND my finger print in order to access the content. To protect yourself, remember to never save your passwords anywhere that does not require a master-password or other form of authentication before it allows you to use the saved password. FileZilla's 'Secure Mode' will prevent it from saving any type of authentication data, which makes it great as an SFTP client for your USB Flash Stick or for use on public systems.

This is when you goof, and give away your password, such as typing it into the username field, or the address bar, instead of the password prompt. This can also happen through social engineering, and various other methods. First and foremost, be sure to NEVER share your password with anyone. If you do have to share an account with someone for whatever reason, select a new password, so that the person will not be able to infer any additional information from knowing one of your passwords. Never give your password to tech support personel, they will NEVER need it, so if they ask, they are probably not who they say they are. Now would be a good time to start playing your telemarketer mind games with these people. IF your password is ever exposed, change it immediately, and remember that you should have a SEPERATE password for each account, so that if this does happen, you don't have to make a mad dash around the internet changing all of your passwords.

This is when someone is able to guess your password by analyzing the patterns that you use to make your password. If you use a seperate password for each of your accounts, but it is all the same password with a different number slapped on the end, or the name of the site prepended to the same password, then if any one of the passwords is exposed or disclosed, then the attacker can easily infer your other passwords. Do not use a pattern when generating your passwords, if there is a regular expression that will match all of your passwords, then you might as well make them all 'password'. And all those people who tell you to just replace your e's with 3's, and your l's with 1's, to turn your password into leet-speak, are wasting your time, any password cracker worth its salt expects this already, and tests for those conditions. Never base your password on a dictionary word, even if you obfuscate it.

Guessing passwords is an art, for years people have been constructing passwords based on dates such as birthdays, names of children or pets, favorite novels and the like. These passwords are NOT secure. An alarmingly large number of corporate break-ins and security compromises come from internal sources. Your co-workers could be the hackers, and if you work with someone for years, they might just get to know your kids names and birthdays, and what your favourite novel is. Social engineering and relationships can divulge information that could compromise your password, so make your password strong, and obscure, else you face the reality, that someone might know your password (or the elements that it is made up of), they might not even know that they know, but they do.

Cracking is the art of using algorithms and massive computer power (such as distributed bot nets and the like) to find passwords. One of the most common examples of this are the extensive number of failed login attemps made on every SSH server world wide. Bots attack these servers day in, and day out guessing common username and password combinations, and attempting to compromise the servers. But the bigger worry is if someone in control of these botnets manages to gain access to the hashed version of your password. To the average person it is just a string of random text, but to a cracker, it is a target. They can try to guess your password by hashing every possible string until they find one that matches your hashed password. Normally this would take a very long time, however there is another way. Since every time you hash a string, the output is exactly the same, a hacker could pre-compute every possible hash, and then quickly compare your hash against all of these already known hash values, and compromise your password in a matter of minutes. This is called a time-memory tradeoff, using more memory (these tables can be extremely large, on the order of 64GB depending on the password complexity) to save the time of doing the hashing that has already been done by someone else. This has been implemented in what are called Rainbow Tables. To combat this, modern hashing algorithms use what is called a 'salt' (in an MD5 or SHA1 password hash, this is the part between the 2nd and 3rd dollar sign character. here is an example of an MD5 password hash for the password 'password': $1$xYSMUKPJ$KKLDg6Jh6xVxlWCaJC04S0 , the salt being 'xYSMUKPJ'). So the cracker has to hash every one of their guesses with that salt, and see if it matches your hash. These salts add an additional layer of complexity, and make cracking with rainbow tables unfeasible (if the table is already 64GB, imagine having to have a version of every possible hash, with every possible salt). However due to the way hashing works, by converting any string or any length into a fixed length string, there are instances of what is called a 'collision', where another string will hash to the exact same hash value, but it is NOT the password that was used to create the original hash, however, since the server only has the hash and not the original password to compare against, it will authenticate with this invalid password, because it is only comparing the hash of what was input, to the hash of what it has in its password database. But, if your password is long enough, it would take 1000s of years, even with todays best hardware, in order to try every possible combination of password. But you have to remember, that as you spread this out over 1000s of botnet controlled computers and limit the search to password that are only lower case and contain only letters, you can search all of the possibilites alot faster. Most modern cracking programs don't just guess starting at aaaa, and going to zzzz either, they use probabilies to consider what combinations of letters are most likely to go together.
Other issues to consider:
On older Windows systems, such as windows NT and Windows 9x, passwords were stored using an algorithm called LM Hash that would split the password into 2, seperate 7 character strings, then calculate 8 byte hashes for each. This effectively makes the passwords alot easier to crack, because the maximum length of the password you are tring to guess is 7 characters, and you can crack the first and second half of the password at the same time, so you only have to attempt each combination of 7 characters once. You can disable LM Hash on a windows machine, but even once you do so, the LM Hashes are not removed until you change your password (this applies to EVERY account, so it is important to set this before you add many accounts, and to set new passwords on all existing accounts once you do set it). To disable LM Hash (note: this will break backwards compatiblity with windows 9x etc, you can download a tool from microsoft to make Windows 9x support NTLM the newer hashing algorithm, but windows 9x is no longer supported, and you should not be using it anyway.) you need to start the Local Security Policy tool (found under control panel: administrative tools, or in the run box type: secpol.msc). Find the setting 'Network Security: Do not store LAN Manager hash value on next password change' and set it to enabled, and you may also wants to set 'Network Security: LAN Manager authentication level' to 'NTLM2 only, refuse LM/NTML1'. Or you can see the Microsoft KB article.

Written by 
Near Source IT
blog comments powered by Disqus

Cuiusvis hominis est errare; nullius nisi insipientis in errore perseverare - Any man can make a mistake; only a fool keeps making the same one.

Digg Proof Hosting
The key to surviving Digg and Slashdot is Infrastructure. You can't get it from a regular web host, it requires experience. The High Load Hosting Experts at ScaleEngine can make your site thrive, and avoid having your site featured on AppFail.

Cyber Security Alerts

Page Generated in 18ms