Basic Password Practices

Simple password hashes can be cracked in less than a second with some trivial knowledge. Password cracking software such as John the Ripper support the cracking of hundreds of types of hashes using brute force or rainbow tables. Brute force attacks often use dictionary files, which are large text files containing thousands upon thousands of plain text passwords that are commonly used and have been stripped from data breaches and other sources. Both the tool and the dictionaries are readily available on the internet.

Let’s start with some basic math surrounding the length and complexity of passwords. The times listed are approximate and wouldn’t take into consideration if a service doesn’t allow certain characters:

• 8 characters at only lowercase equals 26^8. Extremely easy, will crack in < 2 minutes.

• 8 characters at upper- and lowercase equals 52^8. Still not the best, will crack in < 6 hours.

• 8 characters at uppercase, lowercase, and numbers equals 62^8. A little better, will crack in < 24 hours.

• 10-character passphrase with uppercase, lowercase, numbers, and symbols 94^10. Approximately 600 years.¹

Rainbow tables are a relatively modern twist on the brute-force attack as the cost of storage has become cheaper, allowing for a processing time/storage trade-off. A rainbow table contains a list of precomputed and stored hashes and their associated cleartext. A rainbow table attack against a password hash does not rely on computation, but on being able to look up the password hash in the precomputed table.

While long and complex passwords won’t matter if the backend encryption is weak or there has been a breach involving them, it will protect against brute-force attacks.

Teaching users and requiring administrators to create complex passwords is an overall win for everyone. One way of making secure passwords easier to remember is using phrases from books, songs, expressions, etc., and substituting characters. They then become a passphrase instead and are inherently more secure. For example:

Amanda and Lee really love their password security = A&LeeR<3TPS

Another learning opportunity for end users, and possibly even an enterprise-wide shift in process, would be to not trust others with passwords. Helpdesk staff should not be asking for passwords, ever, period. Users should be educated to the fact that no one in the organization would ask for their password, and to do the right thing and report anyone who does. The idea of keeping passwords to yourself doesn’t only apply to humans. Internet browsers store passwords encoded in a way that is publicly known, and thus easy to decode. Password recovery tools, which are easily available online, enable anyone to see all the passwords stored in the browser and open user profiles.

Password Management Software

In this day and age we have passwords for everything. Some of us have systems that make remembering passwords easier, but for the majority of users it isn’t feasible to expect them to remember a different password for each piece of software or website. Don’t make the mistake of reusing passwords for accounts. In the increasingly likely event that a website with stored password hashes gets hacked, attackers will inevitably start cracking passwords. If passwords are successfully cracked, particularly those associated with an email address, attackers will probably attempt to reuse those credentials on other sites. By never reusing passwords, or permutations on passwords, this attack can be thwarted. Whether it is a personal account or an enterprise account, passwords should not be reused. Sites and services with confidential or powerful access should always have unique complex passwords.

Password reuse is a common problem that can be solved by using a password manager. There are many different options from free to paid versions of password management software. Password management implementations vary, from the rudimentary password-storing features in most browsers to specialized products that synchronize the saved passwords across different devices and automatically fill login forms as needed. Perform significant research to come up with the best fit for your organization. Some questions that should be asked when looking into the software include:

• Are there certain passwords that need to be shared among admins such as for a root or sa account?

• Will you be using two-factor authentication to log in to the password manager? (Hint: you should.)

• Do you want to start with a free solution that has fewer features, or with a paid version that will allow more room to grow, and better ease of use? You may want to start with the free version and then decide later if it makes sense to move to something more robust. Take note that many free versions of software are for personal use only.

• Is there a one-time cost or a recurring fee?

• Should the system have a built-in password generator and strength meter?

• Is there a need for it to auto-fill application or website fields?

• Does the password manager use strong encryption?

• Does it have a lockout feature?

• Does it include protection from malicious activity, such as keystroke logging—and if so, which kinds of activity?

In all cases, the master password should be well protected; it’s best to memorize it rather than write it down, although writing it down and keeping it in a secure location is also an option. It’s never a bad idea to have a physical copy of major user accounts and passwords written down or printed out in a vault in case of emergency. Before deciding on a password manager, read reviews of the various products in order to understand how they work and what they are capable of doing. Some reviews include both strengths and weakness. Perform analysis as well by reading background information on vendors’ websites. When a password manager has been chosen, get it directly from the vendor and verify that the installer is not installing a maliciously modified version by checking an MD5 hash of the installer. If a hash is not available, request one from the vendor; if the vendor cannot provide a verification method, be skeptical. Although moving to a password manager may take a little effort, in the long run it is a safe and convenient method of keeping track of the organization’s passwords and guarding specific online information.

Password Resets

Password reset questions when not using 2FA (or when using it when poorly implemented) can be a surefire way for an attacker to get into an account and cut the user off from accessing it. Answers to the questions “What is your mother’s maiden name?” “What city were you born in?” or “Where did you graduate high school?” are added onto an account for “security” purposes. The majority of answers to these questions are easily found on the internet, guessed, or even socially engineered out of the user.

When designing a system that allows password resets, try to not use standard everyday questions that are easily guessed. A method of ensuring the security questions are not brute forced would be to supply false information. The answer to “What is the name of your elementary school?” could be “Never gonna give you up” or “Never gonna let you down.” The answers can then be stored away in a password manager as it would be incredibly hard to remember the answer that has been supplied.

Password Breaches

According to the 2016 Verizon Data Breach Incident Report, 63% of confirmed data breaches involved weak, default, or stolen passwords and 76% of network intrusions were carried out by compromised user accounts. Looking at some numbers of overall breaches in 2015, the numbers of unique accounts are staggering (see Table 13-1).

Good password security will allow you to minimize the impact of the consistent breaches on personal accounts, as well as making it less likely that the enterprise will have a breach.

Encryption, Hashing, and Salting

There is a common misunderstanding of these three terms. It will be extremely helpful to understand what encryption, hashing, and salting mean and the difference between them. All three can be involved with password implementations and it’s best to know a little about them and how they work.

Amanda and Lee are awesome = 2180c081189a03be77d7626a2cf0b1b5

Amanda and Lee are awesome at creating examples = 
51eba84dc16afa016077103c1b05d84a

Password Storage Locations and Methods

Many locations and methods of password storage are typically insecure by default. The following lists some higher profile and more common insecure methods of password storage. Ensure the vulnerabilities are patched, are not using the processes, and are alerting on the possible implementation of the items listed.

• A high-profile Linux vulnerability in 2015 with the Grand Unified Bootloader (grub2) allowed physical password bypass by pressing the backspace button 28 times in a row. Grub2, which is used by most Linux systems to boot the operating system when the PC starts, would then display a rescue shell allowing unauthenticated access to the computer and the ability to load another environment.

• Set proper authentication settings in MS Group Policy. The default GPO settings have the LM hash enabled, which is easily cracked:

  • Navigate to Computer Configuration→Policies→Windows Settings→Local Policies→Security Options.

  • Enable the setting “Network Security: Do not store LAN Manager hash value on next password change.”

  • Navigate to Computer Configuration→Policies→Windows Settings→Local Policies→Security Options.

  • Enable the setting “Network Security: LAN Manager Authentication Level” and set it to “Send NTLM response only.”

  • Navigate to Computer Configuration→Policies→Windows Settings→Local Policies→Security Options.

  • Enable the setting “Network Security: LAN Manager Authentication Level” and set it to “Send NTLMv2 response only\refuse LM.”

• A well-known vulnerability within Windows is the ability to map an anonymous connection (null session) to  a hidden share called IPC$. The IPC$ share is designed to be used by processes only; however, an attacker is able to gather Windows host configuration information, such as user IDs and share names, and edit parts of the remote computer’s registry.

  • For Windows NT and Windows 2000 systems navigate to HKEY_LOCAL_MACHINE → SYSTEM → CurrentControlSet → Control → LSA → RestrictAnonymous.

  • Set to “No Access without Explicit Anonymous Permissions.” This high-security setting prevents null session connections and system enumeration.

• Baseboard Management Controllers (BMCs), also known as Integrated Lights Out (ILO) cards, are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. They are used for remote access to servers for controlling the hardware settings and status without having physical access to the device itself. The card provides system administrators the ability to connect through a web browser as long as the unit has power running to it. The ILO allows the powering on of the device, changing settings, and remote connection into the desktop of the OS. Often, the default password on the cards are not changed.

  • The protocol that BMC/ILOs use is also extremely insecure. Intelligent Platform Management Interface (IPMI) by default has often used v1 of the protocol and has cipher suite zero enabled, which permits logon as an administrator without requiring a password. So not only should default passwords be of concern, so should taking steps to protect against this critical vulnerability by upgrading the ILOs to v2 or greater and changing default passwords. There are specific modules in Metasploit that will allow scanning of the network for ILO cards with vulnerabilities (the Metasploit scanner in this case is auxiliary/scanner/ipmi/).

• As covered in Chapter 14 using centralized authentication when possible, such as Active Directory, TACACS+, or Radius, will allow you to have less overall instances of password storage to keep track of.

Password Security Objects

In Windows Server 2008, Microsoft introduced the capability to implement fine-grained password policies (FGPP). Using FGPP can be extremely beneficial to control more advanced and detailed password strength options. There are some cases when certain users or groups will require different password restrictions and options, which can be accomplished by employing them.

Multifactor Authentication

Multifactor Authentication (MFA) or two-factor authentication (2FA) uses two separate methods to identify individuals. 2FA is not a new concept. It is a technology patented in 1984 that provides identification of users by means of the combination of two different components. It was patented by Kenneth P. Weiss and has been slowly gaining popularity throughout the years. Some of the first widely adopted methods of 2FA were the card and PIN at ATMs. Now that the need to protect so many digital assets has grown, we are struggling to implement it in environments and with software that may or may not be backward compatible.

Why 2FA?

Basically, password strength doesn’t matter in the long run. Passwords are no longer enough when it comes to the sheer volume and sensitive nature of the data we have now in cyberspace. With the computing power of today, extensive botnets that are dedicated to password cracking, and constant breaches, you can no longer rely on only a password to protect the access you have. So why compromise when it comes to the security of data, access to systems, or the possibility of giving an attacker a foothold into corporate infrastructure? On top of doing your best to increase password complexity, 2FA is an essential part of a complete defense strategy—not just a bandaid for a compliance checkmark.

While the number of services and websites that provide 2FA is increasing, we rarely think about it in our own enterprise environments. A surprising number of companies and services decide to implement 2FA only after a large-scale or high-visibility breach. Figure 13-6 shows the widely known AP Twitter hack that brought the stock market down in April 2013 (Figure 13-7). Twitter started offering 2FA in August of that same year, less than four months later. While it can be argued that this specific hack, being a phishing attack, may have occurred regardless, it is still likely that 2FA could have lended a hand in preventing it. In the J.P. Morgan breach, the names, addresses, phone numbers, and email addresses of 83 million account holders were exposed in one one of the biggest data security breaches in history. J.P. Morgan’s major mistake? The attackers had gotten a foothold on an overlooked server that didn’t have two-factor authentication enabled.

Figure 13-6. False tweet from the hacked @AP Twitter account

Figure 13-7. The stock market crash after the tweet

Conclusion

As much as we hear that passwords are dead, password management will be a necessary evil for a long time to come, so securing them as much as possible will be in your best interest. Many security topics can lead you down a never-ending rabbit hole, and password security and cryptology are no different. Here are some great references if you would like to know more about the inner workings of password storage and cryptography:

• Password Storage Cheat Sheet, Cryptographic Storage Cheat Sheet

• Guide to Cryptography

• Kevin Wall’s Signs of broken auth (& related posts)

• John Steven’s Securing password digests

• IETF RFC2898, RFC5869

• scrypt, IETF Memo: scrypt for Password-based Key Derivation

• Open Wall’s Password security: past, present, future

These should provide some additional insight for anyone interested in more in-depth cryptography.