KoreLogic Blog
CISO's Corner: Password Cracking Best Practices and Myths 2014-10-02 16:00

Despite repeated breaches of password repositories, most recently the rumored cause of the Apple iCloud celebrity image theft, password-based authentication remains the norm for most users even though solutions like multi-factor authentication offer superior protection. Not only are user accounts at risk, but more importantly, so are their data. More often than not, default passwords have been the root cause of multiple high-profile system and company compromises. As with any recurring, successful attack, the bar must be raised to prevent the inevitable question from management: "This attack is well known, so why didn't we prevent it?"

One of the ways KoreLogic is studying this problem space is through its Crack Me If You Can (CMIYC) contest, which has been held annually at DEFCON for the last five years. The goal of the contest is to to help push the envelope of password cracking techniques with an eye towards improving passwords and password use. Once again, this year's contest proved popular and yielded more insights into password strengths and weaknesses. It also revealed what the password cracking experts are able to crack in a short period of time (48 hours). According to Rick Redman (the creator of CMIYC and KoreLogic's password recovery team leader):
  • There is no single "best" password cracking method or system. New methods continue to evolve in response to counter-measures. For example, the use of graphics processing units (GPUs) to speed up cracking is being countered by the rise of hash functions that have higher work factors or are not easily parallelized (e.g., bcrypt). In any case, password cracking methods and systems will continue to improve as long as the return on investment for adversaries is there.
  • Even with password complexity requirements, users are still creating predictable and easy-to-crack passwords.
  • The standard password complexity rules of requiring 8+ characters with at least 1 digit and/or special character do not adequately protect enterprise environments, and our experience suggests that they certainly don't force users to create strong passwords.
  • Users will continue to use predictable passwords (and password patterns) if not trained in proper techniques and audited regularly.
We understand the trade-offs between help desk overhead increasing (e.g., increased calls for password resets) and enforcing more complex passwords, but when these trade-offs are compared to the potential for corporate loss (e.g., either by reputation, revenue, or both), it's becoming increasingly difficult to argue for maintaining the status quo.

CISO Takeaways

  1. There is certainly a tipping point between strong passwords and usability. Train end-users on ways to produce harder-to-guess passwords (i.e., those that are less likely to be in an attacker's cracking dictionaries). Bruce Schneier's advice from 2008, "take a sentence and turn it into a password", remains viable. Thus, something like "I love the 4th of July, don't you?" might become "i1T4oJ,dY?".
  2. Consider password cracking expertise as a factor in selecting your penetration testing firms or supplementing your internal audit functions. This expertise will help simulate what your adversaries use and will more accurately gauge your susceptibility to and impact from password brute-force attacks.
  3. Consider addressing the following security best practice questions for your security team:


  4. Question
    Analysis
    What is the basis for our password strength policy (e.g., minimum of 8 characters with at least 1 upper, 1 lower, 1 digit, and 1 special)? Benchmark your organizational password complexity requirements against fact-based password cracking research and methods. Be wary of blindly adapting re-circulated and inaccurate advice that is so commonplace in security IT literature. Our real-world and research experience indicates such advice is often wrong.
    Do we require all administrators to use multi-factor authentication (MFA) and/or privileged identity management? Just as adversaries do, KoreLogic typically targets administrators during contracted penetration tests. And when when we capture their credentials, the house tends to crumble. While MFA is not infallible, it certainly raises the bar and increases the odds that nefarious activities will be detected.
    Do we have a means of examining the most common password topologies (i.e., patterns) used within our environment to gauge our risk? Unfortunately, users gravitate towards predictable and simplistic ways of satisfying organizational password strength requirements. Attackers are keenly aware of this fact, and they are constantly searching for new user behaviors. Consequently, they can crack a highly disproportionate percentage of enterprise passwords with little or no effort. For example, the top 5 most popular patterns crack 15-25% of all passwords, despite being less than 0.008% of the possible keyspace. To research this risk, KoreLogic's Hank Leininger initiated the PathWell project for DARPA's Cyber Fast Track program. PathWell identifies and blocks common passwords based upon common password topologies and learned user behavior.
    What tools do we use for password cracking and strength checking? How much of an effort do we make to customize/optimize these tools to "fit" our environment? Most tools used by auditors and incident response teams are not configured properly to take advantage of the wordlists, rules, and patterns used by individuals in enterprise environments. KoreLogic has published a wealth of wordlists and rules as part of CMIYC. KoreLogic also runs a password recovery service designed to help its clients audit their passwords.
    Are the passwords of default accounts changed, and do we audit our systems to ensure that this is the case? Default accounts, passwords, and community strings remain a recurring problem. An administrator can do everything right to secure their systems, but one missed default account could allow an attacker to gain access. Automated vulnerability scanners often miss default credentials due to the complexity of networks and system configurations. Organizations should employ a mix of automated and manual techniques to identify and remove default credentials from their environments.
    Do we have users or system accounts that share the same passwords? Password reuse/sharing is a very common occurrence among users and system accounts. The only way to confirm if you have this vulnerability is to actually audit the passwords. This helps identify which accounts are using shared, common, and/or non-unique passwords.

2 comments Posted by Bob at: 16:00 permalink

Jim Weiler wrote at 2014-10-09 17:04:

I saw Rick's talk at OWASP AppSec USA 2014 in Denver in September 2014, which is how I found you folks. Even with listening to that talk I can't understand the contest results. Is there some paper or url where you give practical contest result interpretation like 'a user chosen password (not a Schneier passphrase) of x characters plus a computer chosen random salt of y characters hashed with w hash function would take the winning team z minutes, hours , days etc to crack'?

Hank wrote at 2014-10-17 12:52:

That question deserves a longer answer than we're able to give right now - gearing up to give a completely different talk at BSidesDC this weekend. Maybe it should be its own new blog post soon.

Comments are closed for this story.