Protecting Against Password Cracking

Protecting against password cracking is similar to detection, and it can be difficult to cover all aspects. You cannot fully stop cracking, but you can make it so difficult that it becomes impractical for the hacker to proceed down that path to gain access. The sections that follow look at some protection practices you should implement to any degree you see fit and depending on what is practical in your environment.

Password Auditing

Perform password auditing on a periodic basis for even the smallest of offices. Auditing passwords gives security personnel (administrators) the ability to extract all the usernames and passwords from the database or shadow file and test them. The test can involve something as basic as running the file through programs such as John the Ripper or L0phtcrack. Actually, L0phtcrack has a feature called password auditing to help administrators attempt to crack user passwords directly from the SAM database. If users have simple passwords, they should be educated to use longer passwords that do not contain dictionary words and to use characters that take longer to crack. For example, a simple 7-character password might take a few hours to crack, whereas a 14-character password might take a month. Auditing helps administrators flush out the possible weaknesses in passwords. All Microsoft operating systems from Windows 2000 and later come with a special setting that, when enabled, requires users to implement complex passwords. This greatly enhances security and makes password cracking more difficult.

Tip

Microsoft has implemented a password filter dynamic link library (DLL) called Passfilt.dll, which requires users to select at least three characters from the following:

• Uppercase A through Z

• Lowercase a through z

• Digits 0 through 9

• Nonalphanumeric, such as !, $, %, and &

For more detail, see the Microsoft website, at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx.

Logging Account Logins

Implement logging account logins on all systems from Windows and UNIX to your routers, firewalls, and other managed devices. If you are not logging at least failed login attempts, you might never know that Evil Jimmy the hacker is knocking at your door all day long trying to get in.

You can easily configure routers and firewalls to log error messages to a common Syslog server for easy viewing by administrators.

You can configure Windows systems to log both success and failure logon events to the Security Event Log. See Figure 9-25 for the way to set the Event Log.

Figure 9-25. Event Log Settings

One difficulty with Windows systems is that they only log Event Logs locally; therefore, in large domain environments, you might miss failed logins if you do not look at the right server. For example, in an environment that contains ten domain controllers; the authentication process might be bounced to any one of the domain controllers (DCs). If authentication is taking place at DC-1, and you are looking at the Event Viewer on DC-2, you will not see failed login attempts against DC-1 you have to look at DC-1 directly.

With this knowledge, you might see yourself or administrators manually opening several Event Logs from all the different DCs and client desktops. This is quite painful really, particularly if you have more than 1000 computers in your network. Happily, you can use some third-party tools to consolidate Event Logs to a single location or even send them to a standard Syslog server. Alternatively, you might want to use the new Microsoft product Microsoft Operations Manager (MOM) or the old Microsoft EventComb tool that searches though different server Event Logs for you. Whatever you use, make sure it is collecting all the logs from every server so that you do not miss Evil Jimmy cracking passwords on the server right next to you. Figure 9-25 displays Windows 2003 domain group policy settings items that you can enable, log, and audit in the Security Event Log.

Note

For more information about MOM, see http://www.microsoft.com/mom.

Account Locking

User account locking can be a good way to protect against password cracking. The process of locking an account after five failed attempts can dramatically slow down hackers to such a crawl in their password guessing techniques that they might just give up after a few hours. For example, before account locking is enabled, Evil Jimmy could send 1000 attempts in 1 minute. However, with account locking enabled, and with a reset timer of 30 minutes, it would take him 125 hours to test 1000 passwords. Basically, the hacker will use this against you and start locking out accounts to cause a DoS or move on to a different type of attack, such as sniffing passwords off the cable to later brute force them from home, or perhaps some social engineering methods. (See the "L0phtcrack" section.) Figure 9-26 displays the account lockout policies in a Windows 2003 Domain Group Policy.

Figure 9-26. Account Policies

Password Settings

Working hand in hand with account locking are password length, history, and password expiration. The longer and more complex you can make passwords, the better off you will be in helping thwart password guessing attacks with or without account locking enabled. Microsoft has several options that are normally turned off in a default installation that allow users to have zero-length passwords and never prompt for a password to be changed. Consider a few of the settings:

• Password length

• Password expiration

• Password history

Figure 9-27 displays the password settings on a Microsoft 2003 server.

Figure 9-27. Password Settings

Password Length

Just about every security book that exists tells you to use long passwords, and this one is no different. Short passwords are easy to crack. According to the AucCert, 7-character passwords take two and a half hours to crack, whereas 8-character passwords take up to one week. Now the specs are generic and not operating system-specific, but this does give a feel for how much better off you are with just a couple of extra characters in a password. For more details, see http://national.auscert.org.au/render.html?it=2260&cid=2997.

In a Microsoft environment, the recommendation is as follows:

• Turn off LAN Manager password storage.

• Use at least 8-character passwords.

For more details on Microsoft recommendations, see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx.

Password Expiration

Password expiration allows administrators to force users to change their passwords. Every administrator has his own idea of what this setting should be. In lax environments, 45 days might be the norm; in secure environments, you might see 14 days or even less. However, the shorter you make the expiration, the more often users will need to change and remember their new passwords. Watch out for the use of yellow post-it notes floating around the office with password reminders on them. Also watch out if the setting is so short that users start using the same password over and over again, or if they start using a common password with a simple incrementing technique. For example, here is a poor technique we came across in several password audits:

January week one password: dan-0101

January week two's password: dan-0102

March week one password: dan-0301

Guessing that the second week password for April would be "dan-0402" did not disappoint. Changing passwords is great, but just make sure you tell users not to use common incrementing techniques on new passwords. It only takes two yellow post-it notes for a clever hacker to figure out the pattern.

Password History

Password history recording in operating systems such as Windows allows you to prevent a user's new password from being the same as a previously used password. For example, if your password was 123 and it expired and needed changing, you could theoretically use the same password again. If the password history is set to 5, though, you would not be able to use the same password until you had changed your password 5 different times. This greatly assists in strengthening password uniqueness.

Physical Protection

Physical protection of your servers or client computer can never be emphasized enough. Several of the tools mentioned in this chapter require a copy of the actual SAM database, shadow file, or even just an extract of the files. After this is obtained, offline brute forcing can take place. Utilities such as pwdump3 can extract the SAM file from across the network or from the local computer as long as you have administrator privileges. However, if a hacker does not have this access and network password guessing will take too long, he will find a physical computer and extract the username and passwords from that file. Consider an even bigger, scarier example: How about getting the entire computer? The following steps show how to do this:

The preceding scenario demonstrates how, in a matter of a few minutes, a hacker who has physical access can copy an entire computer for offline analysis and password cracking. This form of physical attack can be done on any laptop, desktop, or even server that allows booting from a floppy, CD, or even USB drive. Protection against such attacks is quite simple really. Just keep servers in a secure place where only authorized personal should have access to them. Laptops and client desktop computers should have BIOS passwords set on them to prevent hackers from easily booting from a floppy CD or USB drive. Some sites might even remove the CD and floppy drives entirely to hinder an attacker. However, understand that on the second trip for the hacker, he might just bring his own floppy drive and attach it, although this requires more time and effort. (USB floppy drives work perfectly if this is the case.)

Note

Windows Syskey: Windows has implemented a utility called Syskey that encrypts the SAM database while the system is turned off. If a hacker obtains a copy of the SAM file, he has to break the Syskey before brute forcing user passwords. Most installations store the Syskey key in the SYSTEM registry hive; by having access to the entire disk, hackers are not slowed down that much.

Another loose physical access thought you should take into consideration is the network. If hackers can gain network access either via cables or wireless, they could perhaps just use LAN Manager password network sniffers or utilities such as Kerbcrack to collect encrypted passwords right off the network. To assist in protecting from such attacks, you should put into place the use of managed switches. Switches slow down hackers by requiring them to do man-in-the-middle (MITM) type attacks and Address Resolution Protocol (ARP) spoofing to collect passwords. However, an even better precaution is to implement port security or MAC filtering on the managed switch to prevent unknown MAC addresses from accessing the network. These methods do not stop the pro hacker forever because MAC addresses can be changed easily; however, they will slow him down.

Employee Education and Policy

Education entails informing employees about the dangers of password cracking and how easy it is to do. Implementing password recommendations and reset procedures helps to defend against crackers and even social engineering attacks.

Social engineering attacks are difficult to defend against, especially against systems where users are not educated in the potential risks associated with insecure passwords. In any size company, it is crucial to educate your employees about the importance of using unique passwords, never writing them down, and never revealing passwords or even usernames.

In normal offices, most employees give security little consideration on a daily basis unless they are involved in system administration. Users of the network should be educated and well-informed about security issues and maintaining all elements of security. Offices, both large and small, should implement security awareness programs and events to better educate people on the dangers of all things pertaining to security. Topics to cover here to directly assist you in protecting against possible password cracking include the following:

• Explanation of why

  - Security officers are so concerned about passwords

  - Screen saver passwords are important

  - Long passwords should be used

  - BIOS passwords are employed

• Users should be told to avoid the following:

  - Using the same password for everything

  - Employing any form of incrementing password

  - Writing passwords down

  - Using the same password at home on your work computers

  - Installing unauthorized software

  - Disclosing your password to anyone

  - Responding to phone calls asking about user accounts and password questions

Employee education helps to thwart possible social engineering attacks and helps users understand why rules are in place. When users understand why things are done a certain way, such as why it is important to use long, complex passwords, they have less objection to conforming to the policies.

Tip

The Computer Security Division (CSD) provides an example "Sample Generic Policy and High Level Procedures for Passwords and Access Forms" of how to construct your own policy. See http://csrc.ncsl.nist.gov/fasp/FASPDocs/id-authentication/password.doc.

The Microsoft site actually contains several great documents and references on what makes a good password. When you are developing your own password policy and recommendations for password security, look at "Selecting Secure Passwords" at http://www.microsoft.com/canada/smallbiz/french/sgc/articles/select_sec_passwords.mspx.