Tales from the Certified Hacker: Passwords

22 Sep 2017

The current trend for secure passwords is that we pick a word, change some of the characters around, and come up with what we believe is a good password, for example, picking on the word 'password', we might be tempted to turn it into a complex password by changing it to use upper case, lower case, special characters and numbers resulting in: Pa$$w0rd. This will comply with an 8-character complex password policy.

To make matters worse, the IT department may insist on us changing our password every 30 or 40 days. This encourages us to pick a simple short term memorable password which will contain an acquaintance's name and date. If, for example, we might have a friend named Mary who we know was born in 10 December 1995, we could use the password Mary10Dec1995. This will comply with the Microsoft complex password policy requiring three of the four upper and lower case, special characters and numbers, but a simple search of a user's social media pages exposes such a password.

So, what should we do?

At work, the password policy is managed by your Domain Administrator. While your admin may require a complex ten-character password, you are not restricted in making it more complex. A password greater than 14 characters makes it more difficult for hackers to extract your password from a computer without keyloggers, as the time-honoured Lan Manager / New Technology Lan Manager hashing system then stores an invalid hash of the password which cannot be used to authenticate the user. In this case, we force Kerberos authentication, which may stop us connecting to NT4/Windows98 machines, but these days it would be pretty rare.

For users, then: create a pass phrase. A pass phrase such as, 'I have 2 pets, a cat named Fluffy and a dog named Woofy' would take a lot longer to crack as it has 55 characters and complies with complexity requirements. We would, of course, not use the names of our pets, but this is just an example of how we can formulate our passwords.

For administrators: Increase the password expiry to 90 or 120 days, and run L0phtCrack - with the permission of management, of course – after which a password change for users would be necessary. This will expose weak passwords generated by users. Service passwords should be using Managed Service Accounts, which on a Microsoft system generates passwords greater than 100 characters every 30 days for those services using the Managed Service Account system.

Stay safe,
Terry Griffin, Principal Technologist: Security