InfoWorld Home / Security Central / Security Adviser / Test the strength of your password policy
May 22, 2009

Test the strength of your password policy

Roger Grimes presents a useful tool for figuring out how susceptible your network might be to a password-cracking attack

| Print | 8 comments|
985 Recommendations

Most password-cracking scenarios focus on attacks that convert a captured hash to its plain-text password equivalent using an offline attack and hash or rainbow table database. Capturing password hashes assumes a lot. In most cases, the attacker must have highly privileged access (admin or root) to get to the hashes; if they do, they can inflict much more other damage. So why just discuss password cracking?

Further, in the Windows world, a remote attacker must have local administrator access on a computer and NetBIOS access, which is often blocked by the perimeter firewall. Despite popular belief, today's Windows logon password hashes cannot be sniffed off the wire. Plus, if an attacker can get the hash, he or she can conduct a "pass-the-hash" attack and not worry about converting it in the first place.

[ Roger shares more advice on managing passwords in these Security Adviser posts: "Password size does matter" | "Getting a grip on better password hashes" | "Ask better password questions" ]

Don't be lulled into a false sense of security, though: A complex, six- to eight-character password may have been sufficient 10 years ago, but it's certainly not today. Most of the Linux/Unix systems I've reviewed do not enable their account lockout policy. In the Windows world, the true administrator account cannot be locked out, and some software programs don't log against the account lockout policy. Many companies are disabling the account lockout policy to prevent automated worms, such as Conficker, from locking out all the user accounts and causing an indirect DoS event.

Moreover, most companies still lack a sufficiently adequate auditing system to alert admins of repeated failed logon attempts -- even if the number exceeds the hundreds of thousands. So a remote attacker can enumerate all of your external access points (Outlook for Web Access, Terminal Server, SharePoint, FTP, SSH, RDP, Telnet, and so on) and guess away against your administrator account until he or she breaks it.

Related Content...
additional resources
White Paper - How to Improve Delivery of Advanced Web Applications

White Paper

Virtual Workforce: The Key to Expanding The Business While Cutting Costs

Get the independent advice and expertise you need to support a virtual workforce.

Go inside:
The three-step approach to making a virtual workforce a reality.
The four flavors of client virtualization technologies.
The three key initiatives that solve IT challenges.
Download now »
White Paper: Successfully Secure Your Wireless LAN With Wi-Fi firewalls.

White Paper

Addressing Linux Threats Leveraging Fewer Resources

The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.

Download now »
White Paper - The 2009 Handbook of Application Delivery

White Paper

The 2009 Handbook of Application Delivery

Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.

Download now »
White Paper - Is Your Backup System Outdated?

White Paper

Mid-range Storage Considerations

A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.

Download now »
8 of 8 comments
Sign In or Register to comment
aaugh 22-May-09 9:45am
What about the PostIt problem? If you force people to choose passwords they can't remember, they'll write it on a PostIt and paste it next to their monitor.
Yuck 22-May-09 1:29pm
Shouldn't the formula simply be =D11^A32, =D11^A33, etc. You can check the values by setting Max. # of Characters/Symbols Size Allowed in Passwords to 10. Instead of getting 10**15 you get 1,111,111,111,111,240 Mike
joku 24-May-09 5:38am
Here is web form for same calculations. Form is restricted to NIST and Perfect (computer generated) calculations. I didn't understand why original spreadsheet is limited to 15 characters as NIST is not restricted to that (Perfect do not have any limits, user selected passwords is specified as 'after 15 characters add 1 bit per character').
anony123 25-May-09 5:01am
1 reply
In the proper setting, password expiration is useless: Mike Howard did the math in "How often should you change your password – or should you bother?"; http://is.gd/DblR the math is not that hard, and I can't find any loopholes; can you? So don't bother with password expiration.
joku 25-May-09 11:30am
1 reply
Article do have one big problem. Whole point of password expiration is to prevent attacker from trying his/her complete dictionary (or whatever is guessing set). Good assumption is that at least some users (assuming big user group) do select bad passwords. If they have to change passwords before every (feasible) possible password is tried, probability to find right one is lower. Absolutely, stronger passwords are better than weak that is valid only for relative short time. But it's really hard to prevent users from choosing bad passwords (or recycling nearly same passwords: 'Sch00lmonday', 'Sch00ltuesday' etc.). Eventually attacker will come to those.
anony123 25-May-09 12:13pm
Good assumption. But doing the math will show you that controlling the login attempts has a much bigger impact on the outcome (of guessing the password) then password expiration. So, it _is_ hard to prevent users to choose a bad password; but you can mitigate that easily by controlling the login attempts.
rdm 26-May-09 10:50am
You know... secure passwords are a wonderful thing, but forgotten passwords (and the associated processes) have their own issues and, meanwhile, this whole spreadsheet rests on an interesting assumption: that username/password pairs can be tested easily. Of course, historically, we have the lockout mechanism which is supposed to prevent such abuse. But, as Mr. Grimes notes, people turn this off because of DOS issues. Then again, perhaps we should have some options between "locked out after some stupid piece of software mucks up the works" and "lock outs? never!" Locking out machines which have engaged in probing (and making it stupid easy to identify such misbehaving machines) might be one such step. And this can be a gradual thing: after a certain number of failed password attempts, you can start randomly failing valid passwords, and the likely hood of failure can go up with further attempts, with full lockout not happening until maybe a hundred distinct password hashes have been used. This should be restrictive enough to stop exhaustive searches and the false negatives should also slow down other attempts. And there's no reason to keep secret the likely hood of false negatives a secret -- when this mechanism gets triggered it should be "in your face obvious". Of course, you will still be getting support calls from people when they can not log in, and of course the real problem is exposing the raw information to people that need to know, without burying them in trivia. So password change and reset dialogs should all also be changed to present a security summary (about the threat level of failed password attempts) and a way of drilling down into this information (which machines have been misbehaving, trends, that sort of thing). And, of course this is all vaporware or worse. But... ... but our computer systems are insecure when the people responsible for them do not understand them. So we really ought to be approaching these problems as a strong expression of need, for more comprehensible systems.
reusablesec 1-Jun-09 7:28pm
I really appreciate the work you are doing. I tend to think that entropy is a bad measure of password security though. It works great for evaluating certain code types, but humans just don't do random very well and it's hard to abstractly measure all the shortcuts an attacker can use to take advantage of this weakness. Personally I think the log-in protocol used is more important than a very strong password creation policy. Increasing the time cost of a log-in attempt depending on the number of failed log-ins can be very useful. It stops a DoS attack against the user, but at the same time if you limit an attacker to one guess every two minutes or so, (after the first three or four), you can make even a "weak" password fairly strong. One measure of the strength of an individual password I've found is to look at the mangling rules that were applied to it, (using a modified edit distance), and then compare that to the rules used in popular password crackers. This way you can quickly evaluate how many guesses it would take to crack that password using real life examples. More about this can be found at my blog here . Sorry about the shameless self promotion ;)

Sign up to receive InfoWorld Resource Alerts

Subscribe to the Today's Headlines: First Look Newsletter

Find out what will be news for the day, with our first-thing-in-the-morning briefing.

White paper

Log Management: How to Develop the Right Strategy for Business and Compliance

This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.

Download now! »

White paper

The Essential Series: Security Information Management

Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.

Download now! »

White paper

Aberdeen: Choosing and Consuming Managed Security Services

Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.

Download now! »
©1994-2010 Infoworld, Inc.