Password strategy

wes allen

Interesting article on password cracking on Ars, the comment section is well worth reading as well for additional insight. 25-GPU cluster cracks every standard Windows password in <6 hours | Ars Technica

What kind of strategy do you all use to protect your online accounts? Seems like you can take a few steps to really lower your risk:

1 - password manager. I like 1Password, but there are plenty of others out there.
2 - 2 factor auth where supported
3 - never, ever reuse a password
4 - forgetting the whole "8 characters = safe" idea and using 20+ totally random characters.

tpatt100

I have a "password" that I use for everything that is considered strong. Then I add something to the end that uses a pattern that I follow, something like first a variant of the name of the site so "P@55word"+"Texams or something like that. I make sure the part of the website I use as the part after my normal password follows the same pattern for all of them so I just have to remember "P@55word" and the type of pattern for the latter half.

I still have a bunch I need to change but my biggest problem is using my main email for everything rather than use a couple of different ones and use one for business/financial and one for social media sites, forums, etc. Because once your email password is figured out, it's just "forgot password?" for everything you own pretty much.

YFZblu

All of my passwords are different, I use pass-phrases, and I do utilize a password manager.

RobertKaucher

I use LastPass which encrypts your vault with 256 bit AES and transfers that over SSL. This means that they do not have access to any of your passwords. https://lastpass.com/whylastpass_technology.php

That article mentions this in passing, but that is exclusively an off-line attack. Meaning it is really just an acceleration of what has already been done in the past. If an attacker has access to your systems to the point that he has hashes of your passwords you are already screwed on multiple fronts...

If anyone is interested in a bit of a deep dive into how to do passwords and authentication properly CrackStation has a very good article on the topic. Secure Salted Password Hashing - How to do it Properly It includes source code in multiple languages.

wes allen

My take away was that reusing passwords is a really, really bad idea and that using 15-20 character complex passwords will help for sure. The other thing that was interesting to me (in the comments) was that a really big percent of the passwords were cracked, not by brute force, but by dictionary attacks combined with a pretty extensive rule set to make changes and combos to the dictionary attacks. They didn't need to resort to brute force (called "The Hail Mary" of cracking) but were able to use other ways to break them. Same with paraphrases - there are some pretty powerful rule sets to break them without having to use brute force.

To me, this means you just about have to use some form of password manager, as there is no way most people can keep track of a bunch of 20 character complex passwords. The other thing as noted here, is that the password recovery options are also a weakness. The articles on the wired writers hack have some good ideas on how to tighten things up a bit. Here is something I wrote up for some friends on facebook. It is very much only a guideline and as with all security, it has holes and makes your life more complex.

1. Sign up for a new gmail account, use something non specific to you for the name - abcpw123@gmail.com or whatever. You will never use this account to send email.
2. Use a strong password for the account.
3. Remove the profile for all gmail services.
4. Sign up for free dropbox account with the new email.
5. Use a strong password.
6. Buy and install 1password (or lastpass, etc.) on your desktop machine.

7. Set up 1password to synch via the dropbox account you created.

8. Install 1password on your phone, ipad, laptop, etc and config for dropbox sync

9. Install the browser extensions for 1password on your desktop.

10. Install google authenticator on your phone.

11. Go back to the account you created in step one.

12. Use 1password to generate a super strong password (20+ random characters)

13. Enable 2 step (factor) authentication on the account using text and google authenticator

14. Go to dropbox account you set up.

15. Use 1password to set up super strong password.

16. Enable 2 factor authentication with google authenticator.

17. Go to all your important web accounts (facebook, emails, paypal, banks, itunes, amazon, etc) and generate new super strong passwords with 1password.

18. Change your main/contact/password recovery email on those sites to the one you created in step one.

19. You will have to go back and change passwords on your email clients, mobile devices, etc, but with 1password, you can sync your changes and copy and past the new password in.

20. If you are a gmail user for your other accounts, you can also set them up for two factor, though you will have to jump through a few more hoops to get them working with your email clients and mobile apps.

ptilsen

I will admit, I share passwords between sites which I've deemed non-risks. My Techexams password, for example, is a relatively short, simple password that I use for other forums and services which don't have substantial personal information.

My email accounts use different passwords. I haven't made the leap to using 1password or LastPass or anything like that. I have memorized quite a few long (well over ten characters), complex (totally random character sequences) passwords which I generally don't share between services. I do have two-factor authentication on Gmail and Battle.net, and some bank sites that offer it. I would do it on everything involving money or email if it were offered.

I may consider a move to password manager, but I would want it to be open source. I don't normally care one way or another, but for example with LassPass, there is nothing stopping the application developers recording your password somehow, meaning they could have access to it even though it's encrypted.

RobertKaucher wrote: »

That article mentions this in passing, but that is exclusively an off-line attack. Meaning it is really just an acceleration of what has already been done in the past. If an attacker has access to your systems to the point that he has hashes of your passwords you are already screwed on multiple fronts...

I disagree with this, at least in a broad context. Having passwords that are secure against off-line attacks is a necessity. For most corporate networks, access to user password hashes is easily obtained. Outside of doing port authentication for every single port on every switch and physically securing and/or encrypting all computers, it is far too difficult to prevent an attacker from gaining access to password hashes. The whole point of using strong passwords and password rotation is to make the hashes worthless in an offline attack. For online attacks, lock-out policies make short, simple passwords feasible.

Zartanasaurus

wes allen wrote: »

To me, this means you just about have to use some form of password manager, as there is no way most people can keep track of a bunch of 20 character complex passwords. T

This is false. You probably have more than a dozen 15-20 character complex characters memorized right now, you just don't realize it. Open up your address book in whatever email program you have and make a list of all the email addresses in there. What do email address contain? Upper case, lower case, numbers and symbols. You can memorize a long string of characters, it just has to be in a form you recognize. It's just like a phone #. If I just give you a list of 10-digit #s to remember, it's going to be hard. Once they are in the form of a phone #, suddenly they are very easy to remember.

RobertKaucher

ptilsen wrote: »

I disagree with this, at least in a broad context. Having passwords that are secure against off-line attacks is a necessity. For most corporate networks, access to user password hashes is easily obtained. Outside of doing port authentication for every single port on every switch and physically securing and/or encrypting all computers, it is far too difficult to prevent an attacker from gaining access to password hashes. The whole point of using strong passwords and password rotation is to make the hashes worthless in an offline attack. For online attacks, lock-out policies make short, simple passwords feasible.

The statement in bold makes very little sense to me. Could you define "easily obtainable"? But even if obtaining corporate password hashes were easily obtained then your attacker already has physical access to multiple systems and you are in fact and by the very definition of the phrase "screwed on multiple fronts." And I'm not exactly sure how plugging into a switch port would grant me access to a hashed password, though. It seems to me you would at least need to be able to **** the config. And you aren't going to be able to do that without authenticating first, right?

Now the rest of your statement I agree with 100% and that was the point I was making. This is just an acceleration of what we have already seen and companies with good security protocols/practices don't really have anything very new to worry about from this.

wes allen

I agree that if someone has access to stored password hash, you are quite possibly screwed in regards to that system. The danger is in having credentials exposed that are also used on another system. Maybe your domain account password is the same for salesforce, or your personal gmail, etc. So, thinking is a bigger picture of over all security, vs. looking at only the system that was compromised.

ptilsen

RobertKaucher wrote: »

The statement in bold makes very little sense to me. Could you define "easily obtainable"? But even if obtaining corporate password hashes were easily obtained then your attacker already has physical access to multiple systems and you are in fact and by the very definition of the phrase "screwed on multiple fronts." And I'm not exactly sure how plugging into a switch port would grant me access to a hashed password, though. It seems to me you would at least need to be able to **** the config. And you aren't going to be able to do that without authenticating first, right?

Obtaining access to user hashes is not generally very difficult. Given physical access to the network or a network computer, which is often very easily, all you need to do is ARP poison and packet capture, and you have hashes. Generally speaking, most networks are not segmented such that users don't share a layer two subnet, and hashes will generally be sent without additional encryption.

That kind of access doesn't mean you can get anything meaningful if passwords are strong and other, sensitive traffic is encrypted. For many, maybe most organizations, it is not hard to get that kind of physical access, yet not hard to protect sensitive credentials and other traffic in transit with strong hashes.

This is in contrast with getting access to a server room, at which point you are indeed screwed. But getting physical access to network ports and user devices should not mean you're "screwed on multiple fronts". There is no good reason networked systems should be so insecure that that kind of access (which, again, is generally easily obtained) permits an attacker to obtain anything but useless hashes.

DevilWAH

For work I use a password manager for server and network devces, because we use different passwords on all system, so to remember 80+ unique complex passwords is just not going to happen.

But for personal user I have 2 or three complex (ish) passwords for bank logins and email accounts. While anything like forums or sites that have nothing to do with financial or personal data I use very basic passwords.

For personal passwords I generally think up a 12 to 15 word sentence, take alternate first n last letters of each word, add a few random elements in it and have a password that's 15 to 20 in length and no ones going to crack with a basic brute force or hash table attack.

Its always a question of balance, do i have a password 50 charatures in length that gets changed every 24 hours for techexams? or an 8 digit one that yes if some one runs a hash attack on it might get broken, but where will that lead the attacker?

About7Narwhal

If someone serious wants to get your passwords, they will be able to do it. They will either have an abundance of time to attempt brute force attacks or will have an abundace of space to run Rainbow Tables. Take your pick.

ptilsen

About7Narwhal wrote: »

If someone serious wants to get your passwords, they will be able to do it. They will either have an abundance of time to attempt brute force attacks or will have an abundace of space to run Rainbow Tables. Take your pick.

This is incorrect for two reasons. First, a sufficiently complex hash would require impractically large rainbow tables, just as calculating the passwords requires impractically large amounts of computing power. Given the progress of technology, the complexity required to fend off both rainbow tables and calculations will grow, but for now this is generally true. Overall, if rainbow tables were able to account for all possible passwords better than various cracking algorithms, research into the subject of cracking algorithms would have been stopped and human-usable passwords would no longer be commonplace.

Second, password rotation policies mean that even a hash which can be found given "an abundance of time" will no longer be useful after the password has been changed per the rotation policy.

Given the technology available today, a nine-character complex Windows password with a 120-day rotation should be sufficient for most passwords at most organizations. A ten-character complex password with a 90-day rotation should be sufficient for all passwords at the vast majority of organizations. The former would require sophisticated attackers with access to expensive amounts of computing power and/or storage (easily north of $100K), while the latter would be virtually un-crackable even with significant computing resources.

wes allen

DevilWAH wrote: »

But for personal user I have 2 or three complex (ish) passwords for bank logins and email accounts. While anything like forums or sites that have nothing to do with financial or personal data I use very basic passwords.

Its always a question of balance, do i have a password 50 charatures in length that gets changed every 24 hours for techexams? or an 8 digit one that yes if some one runs a hash attack on it might get broken, but where will that lead the attacker?

I used to be on the just using the same basic, generic password for sites that don't matter plan, but I am working on using strong, unique passwords for each and every site now. Using a password manager makes using 20+ character complex passwords easy. Here is a reason, and it is just a very broad generalization of a low probability event, but one that does merit consideration.

Say a user here is also on omgcerts4ever . com and shares the same account info. The omguscerts4ever . com admin is not up on security and has very basic hashing and security, such that someone is able to **** the hashed passwords. Since it is a "no value" site, the password is something simple, and the password, along with a bunch of others, is recovered. Now after a little bit of google, the person with the passwords find techexams and a matching account / password combo. They log in, start a "Review my resume" thread with a link to a PDF that has some fresh exploit imbedded. People see a post from a known and trusted source and click the link. Maybe one of them is using a work machine and is logged in as a domain admin, lots of admins on here, and I doubt they all use a separate account, esp. on a smaller domain. Now there is another pivot point into another network that might have very valuable info, all because of a generic password. And while a techexams account might might not have a financial value associated, it does have a social reputation value that would be valuable as a pivot point.

DevilWAH

wes allen wrote: »

I used to be on the just using the same basic, generic password for sites that don't matter plan, but I am working on using strong, unique passwords for each and every site now. Using a password manager makes using 20+ character complex passwords easy. Here is a reason, and it is just a very broad generalization of a low probability event, but one that does merit consideration.

Say a user here is also on omgcerts4ever . com and shares the same account info. The omguscerts4ever . com admin is not up on security and has very basic hashing and security, such that someone is able to **** the hashed passwords. Since it is a "no value" site, the password is something simple, and the password, along with a bunch of others, is recovered. Now after a little bit of google, the person with the passwords find techexams and a matching account / password combo. They log in, start a "Review my resume" thread with a link to a PDF that has some fresh exploit imbedded. People see a post from a known and trusted source and click the link. Maybe one of them is using a work machine and is logged in as a domain admin, lots of admins on here, and I doubt they all use a separate account, esp. on a smaller domain. Now there is another pivot point into another network that might have very valuable info, all because of a generic password. And while a techexams account might might not have a financial value associated, it does have a social reputation value that would be valuable as a pivot point.

i did not say same passwords, I said very basic passwords. My techexams password is unique, but its not very complex. Just a random 9 didget string.

I don't consider any public web site to be "known and trusted" and neither should any IT admin. Even more so if accessing it from a corporate network. Not only is it important to minimise the risks of your password being broken. But you should also have measurement in place to protect you or you corporate network if other indivuals or companies are compromised.

wes allen

Fair enough, and i didn't mean to put you on the spot. I was hopefully just giving a very theoretical example that even "unimportant" sites still have value and are worth taking the time for strong and unique passwords. There are other social engineering attacks that could be used with info from forums or other sites.

RobertKaucher

ptilsen wrote: »

Obtaining access to user hashes is not generally very difficult. Given physical access to the network or a network computer, which is often very easily, all you need to do is ARP poison and packet capture, and you have hashes. Generally speaking, most networks are not segmented such that users don't share a layer two subnet, and hashes will generally be sent without additional encryption.

Ah, OK. I completely concede the point! For some reason I had not even considered this and was stuck on physical access to server and networking systems. So extracting hashes from the SAM, an authentication SQL database, etc.

If I might offer a really lame excuse... I would have thought of this 2 years ago but now that all I do is sit in front of Visual Studio all day I really think I need a refresher on some basics of security and networking. Thank you for explaining!