With all due respect to all;
We've wandered way off the topic. The discussion was on "Active Directory
Services (ADS) Storage Protection" methodologies. Mathematics proves what
password types are entrophically stronger, and proactive password auditing
proves what passwords are pratically stronger. The debate here is not length
vs. complexity in passwords but the succeptibility to password storage systems
to attack.
Password length and complexity remains a very valid discussion. Password
recovery plays an especially important part in obtaining access to systems not
connected to the originally compromised system. For example, if I use the same
password for my banking as I use for my computer at home; someone that cracked
my home computer password now has credentials for my bank web-account.
The important fact here is that regardless of my attempts to strengthen my
password, someone that has the ability to crack my password on my home computer
has the ability to "recover" my password no matter how strong it is through
means other than cracking. Access to my system to recover the password hashes
means that an intruder has the same level of access required to install root
kits and key-loggers.
In keeping with the discussion topic. If I obtained the password hashes using
PWDUMP or other extraction tool, I have all I need to be able to authenticate
as any user including, Administrator using one of the modified open-source SMB
clients. Upon accessing the system as Administrator (SID 500 - to prevent
trolls from starting arguments about renaming accounts), I obtain access to all
connected ADS systems (including the workstations). From this launchpad I can
install root-kits and key loggers on distributed client systems using ADS
group-policy and pushing MSI packages. And finally, I just wait for you to
type your 200+ character pass-phrases.
Upon looking at the anatomy of an attack, the threat comes not from the ability
to crack a "strong password" (however you define strong=long, etc). Instead
the origin of the attack comes from obtaining access to the password hash
database.
What I propose is that discussions on password length vs strength is purely
academic rather than practical to system security. Creating super-long
passwords (more than 8 characters or so) does not provides a theoretical
increase in protection to systems but not a practical one. Credential passing
algorythms such as Kerberos, should use strong pre-shared or one-time keys for
transmitting the passwords so they can't be sniffed.
So my question to you is, do you REALLY think your passwords are secure?
Sincerely,
Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
