Are Passwords Dead? (Part 2)

November 5, 2006 | By Bob Bowman In Security |
advertisement

Continue from Are Passwords Dead? Part 1.

Distributed hash cracking
Over the years, password policies have become more sophisticated. Users may be forced to have passwords of at least eight characters, use non-alphanumeric characters, and use a password that is not a derivation of an English word. For example, the password b0b5d0g! is not a good password because numbers are used in a common substitution for letters (“5” for an “s”) and it’s simply followed by an exclamation point.

These password policy restrictions are due in part to the fact that password cracking has become so much more advanced. Tools such as L0phtcrack and John the Ripper do more than guess simple passwords. They are able to do many types of substitutions of letters and permutations of dictionary words to guess more complicated passwords. Obviously, the more substitutions and permutations the tools perform, the more passwords they may have to guess before finding the right one and the longer the process takes.

Many modern password cracking tools can now be run in a distributed fashion. Rather than have one machine guess passwords for 10 days, 100 machines can be configured to guess the same number of passwords in 2.4 hours. For perspective, a 2GHz Intel machine may be able to guess about 5,000 password values in a second. 100 machines will do half a million. Even complex passwords will fall relatively quickly when an attacker is trying 42 billion passwords a day.

Rainbow tables
For some password systems, there is another concern beyond distributed hash cracking. We have now reached a point where it is feasible to pre-compute a massive part of the password search space and store the data for near-instant lookups later. This is called a time/space trade-off because rather than spinning CPU cycles each time you want to crack a password, you can store a large number of pre-computed hashes on a hard drive and look up the hashes when you need them. These pre-computed hash databases are often called rainbow tables.

Windows LanMan passwords are particularly vulnerable to rainbow table attacks. LanMan passwords are case insensitive and break up the password into two 7 character chunks. These two characteristics make the search space for LanMan hashes relatively small. A rainbow table with all possible alphanumeric passwords with many of the standard special characters people use only takes up about 64 GB. These rainbow tables are available on the Internet for download or for sale by various security researchers if you are not able to download that much data.

While the new LanManv2 mechanism allows for upper and lower case characters, there are still times when LanManv1 hashes are used (such as when accessing network shares). So even in v2 environments, a v1 rainbow table is still of great value. There are other environments for which rainbow tables work as well, including the passwords used to encrypt Word documents and other 40-bit based authentication methods.

For MD5 and SHA-1 based systems, rainbow tables aren’t yet practical. But given several years of continued increased hard drive space and decreased hard drive price, these mechanisms may start to feel pressure from pre-computed hash databases as well.

Phishing and theft
One final note on risks to passwords: phishing attacks, spyware, and general password theft pose real problems to the end user. An attacker doesn’t even have to go through the hassle of guessing a password or generating a huge list of hash values if the user willingly gives up their password.

Phishing attacks and the like are particularly dangerous because the user and administrator may not even realize the password has been compromised until it is too late. And once an account has been compromised, it’s very difficult to recover from. Changing the password is only the start of getting things back to normal.

Is it the end?
So ultimately, is it the end of passwords as we know it? The short answer is “no.” While passwords are becoming increasingly insecure, the alternatives are not attractive. In general, proving who you are boils down to one- or multi-factor authentication; something you know, something you are, or something you have.

The something you know is passwords, a concept the public at large is generally accepting of and requires nothing special to maintain. Something you have, such as a smart card or other cryptographic token, requires distribution of hardware and someone to maintain, revoke, and upgrade the hardware required to make things work. This is untenable in most situations, including PKI which is a difficult undertaking at best. And the something you are boils down to biometrics. Biometrics have similar integration issues to PKI systems and tend to get privacy advocates up in arms.

So while passwords may not be perfect, they are still leaps and bounds more realistic than the alternatives. The best thing to do is to hold your passwords close, use good passwords, and hope for the best. It’s an arms race with the attackers which enterprises and software designers will be involved in for years to come.

About the author
Bruce Potter is currently a senior security consultant at Booz Allen Hamilton.

If you like this post, please share with others. Thanks
  • del.icio.us
  • Reddit
  • Technorati
  • Digg
  • Furl
  • Scoopeo
  • Simpy
  • StumbleUpon
  • YahooMyWeb
  • BlogMemes
  • Facebook
  • Gwar

Other Related Posts:

Are Passwords Dead? (Part 1)
Keep Your Passwords Safe on Public Wireless Networks
Netgear RangeMax WPN824
Wireless Networks and Printers Way to Go
Wi-Fi Protected Access

advertisement

No Comments

Leave a reply