Despite repeated breaches of password repositories, most recently the
rumored cause of the Apple iCloud celebrity image theft, password-based
authentication remains the norm for most users even though solutions like
multi-factor authentication offer superior protection. Not only are user
accounts at risk, but more importantly, so are their data. More often than
not, default passwords have been the root cause of multiple high-profile
system and company compromises. As with any recurring, successful attack,
the bar must be raised to prevent the inevitable question from management:
"This attack is well known, so why didn't we prevent it?"
One of the ways KoreLogic is studying this problem space is through its
Crack Me If You Can (CMIYC) contest, which has been held annually at
DEFCON for the last five years. The goal of the contest is to to help
push the envelope of password cracking techniques with an eye towards
improving passwords and password use. Once again, this year's contest
proved popular and yielded more insights into password strengths and
weaknesses. It also revealed what the password cracking experts are able
to crack in a short period of time (48 hours). According to Rick Redman
(the creator of CMIYC and KoreLogic's password recovery team leader):
We understand the trade-offs between help desk overhead increasing
(e.g., increased calls for password resets) and enforcing more complex
passwords, but when these trade-offs are compared to the potential
for corporate loss (e.g., either by reputation, revenue, or both),
it's becoming increasingly difficult to argue for maintaining the
- There is no single "best" password cracking method or system. New
methods continue to evolve in response to counter-measures. For example,
the use of graphics processing units (GPUs) to speed up cracking is
being countered by the rise of hash functions that have higher work
factors or are not easily parallelized (e.g., bcrypt). In any case,
password cracking methods and systems will continue to improve as long
as the return on investment for adversaries is there.
- Even with password complexity requirements, users are still
creating predictable and easy-to-crack passwords.
- The standard password complexity rules of requiring 8+ characters
with at least 1 digit and/or special character do not adequately protect
enterprise environments, and our experience suggests that they certainly
don't force users to create strong passwords.
- Users will continue to use predictable passwords (and password
patterns) if not trained in proper techniques and audited regularly.
- There is certainly a tipping point between strong
passwords and usability. Train end-users on ways to produce
harder-to-guess passwords (i.e., those that are less likely
to be in an attacker's cracking dictionaries). Bruce Schneier's advice
from 2008, "take a sentence and turn it into a password", remains
viable. Thus, something like "I love the 4th of July, don't you?" might become
- Consider password cracking expertise as a factor in selecting
your penetration testing firms or supplementing your internal audit
functions. This expertise will help simulate what your adversaries
use and will more accurately gauge your susceptibility to and impact
from password brute-force attacks.
- Consider addressing the following security best practice questions
for your security team:
What is the basis for our password strength policy (e.g., minimum
of 8 characters with at least 1 upper, 1 lower, 1 digit, and 1 special)?
Benchmark your organizational password complexity requirements
against fact-based password cracking research and methods. Be wary
of blindly adapting re-circulated and inaccurate advice that is so
commonplace in security IT literature. Our real-world and research
experience indicates such advice is often wrong.
Do we require all administrators to use multi-factor authentication
(MFA) and/or privileged identity management?
Just as adversaries do, KoreLogic typically targets administrators during
contracted penetration tests. And when when we capture their credentials, the
house tends to crumble. While MFA is not infallible, it certainly raises the
bar and increases the odds that nefarious activities will be detected.
Do we have a means of examining the most common password topologies
(i.e., patterns) used within our environment to gauge our risk?
Unfortunately, users gravitate towards predictable and simplistic ways
of satisfying organizational password strength requirements. Attackers
are keenly aware of this fact, and they are constantly searching for new
user behaviors. Consequently, they can crack a highly disproportionate
percentage of enterprise passwords with little or no effort. For example,
the top 5 most popular patterns crack 15-25% of all passwords, despite
being less than 0.008% of the possible keyspace. To research this risk,
KoreLogic's Hank Leininger initiated the PathWell project for DARPA's
Cyber Fast Track program. PathWell identifies and blocks common passwords
based upon common password topologies and learned user behavior.
What tools do we use for password cracking and strength checking? How
much of an effort do we make to customize/optimize these tools to "fit"
Most tools used by auditors and incident response teams are not configured
properly to take advantage of the wordlists, rules, and patterns used
by individuals in enterprise environments. KoreLogic has published a wealth
and rules as
part of CMIYC. KoreLogic also runs a password recovery service designed
to help its clients audit their passwords.
Are the passwords of default accounts changed, and do we audit our
systems to ensure that this is the case?
Default accounts, passwords, and community strings remain a recurring
problem. An administrator can do everything right to secure their
systems, but one missed default account could allow an attacker to gain
access. Automated vulnerability scanners often miss default credentials
due to the complexity of networks and system configurations. Organizations
should employ a mix of automated and manual techniques to identify and
remove default credentials from their environments.
Do we have users or system accounts that share the same passwords?
Password reuse/sharing is a very common occurrence among users
and system accounts. The only way to confirm if you have this
vulnerability is to actually audit the passwords. This helps identify
which accounts are using shared, common, and/or non-unique passwords.