Roger,
I agree with you with regards to the entropy of the password strength. A longer password can be mathematically stronger than a complex password with less characters especially when using an incremental brute-force attack.
The problem isn't password cracking anymore. By continuously attacking password complexity/length issues, security professionals are dealing with a symptom of the problem inherent in authentication systems but not the problem itself. With practical application of the Faster Time-Memory T in Rainbow Tables, even long-and-strong passwords are quickly becomming crackable. As computers mature and bot-nets grow, the theory of continously using passwords longer than systems can reasonably crack breaks down eventually we will make users entire entire novels as their password to remain secure.
The reality of authentication attacks is that they typically occur at an interface. As long as the password is "strong enough" not to be reasonably guessed within 100 random tries or so your audit processes should enable you to detect an attack. This is why you would want to set your lockouts and alerts to something higher like 10, 15 or 25. If someone is cracking your Active Directory password hash data then they've compromised your system to an administrator level already. Since the "Administrator" account has a known SID, one method of auditing a compromise is to never use the built-in administrator. Instead, create secondary administrator accounts and monitor the built-in administrator account for authentication with an alert of interactive or remote login letting you know the system was compromised.
With hash injection ("pass the hash"), I never even have to know what your username/password actually is. When I am confronted with a login prompt, I would use a modified SMB client to inject authentication credentials in hash form directly into the SMB/Kerberos exchange. Your password could be a random 200 characters long, and it wouldn't matter I'd still get into your system.
Instead of worrying about making passwords ultra-complex or ultra-long, the security administrators need to protect and monitor the hash database. By forcing growing password requirements upon the system users, we're overlooking the attack-vector to the authentication system and ticking off the users in the process. Password complexity and length requirements have created the "iron gate" on the front door that thwarts attackers. They're now coming in through the windows We have to pay attention to the attack vector because the mathematical complexity of passwords has reached a moot point.
Sincerely,
Eric Baechle, CISSP/ISSEP, etc
Senior INFSEC/PSEC Engineer
Department of Homeland Security
Message
From: Roger A. Grimes [mailto:roger (AT) banneretcs (DOT) com]
Sent: Monday, July 17, 2006 2:54 PM
To: Baechle, Eric M; security-basics (AT) securityfocus (DOT) com
Subject: RE: ADS Password Storage Protection
Let me comment on this post by saying that password length beats
complexity character for character.
So go long and forget complexity. Complexity pisses end users off.
At 15 characters (complex or not), password is uncrackable. Tell normal
users to go 12 character min. (actually 9 and above is pretty good).
Admins should go 15+.
I frequently demo this idea using Cain (www.oxid.it) and its brute force
cracking mode.
If I can get your LM hashes, I can crack your password no matter how
complex. If you go 15 char.+, I'll never crack it, no matter how big
the rainbow tables or how many computers I have.
Linux folks should use bcrypt password hashes to accomplish the same.
Roger
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yadayada
*email: roger_grimes (AT) infoworld (DOT) com or roger (AT) banneretcs (DOT) com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at: