It seems that weak passwords are at the heart of every large data breach.
I'm actually surprised we don't hear about weak passwords more often. Some of the biggest and most glaring security risks I report on in my work are good old-fashioned weak passwords. I see them on Windows servers and workstations, SQL Server systems, Internet Information Services (IIS), and Outlook Web Access. The risk knows no boundaries.
Many people credit hackers with their elaborate set of techniques that only the brightest of propeller heads can perpetrate. Maybe a few exploits fall into this category, but by and large it's the tried and true weak passwords and other security basics that'll get you every time.
So, what you can do about it? Well, Windows administrators and managers have at their disposal one of the greatest password policy enforcement tools ever built: Microsoft Active Directory. Within AD, you have the ability to control 100% of your Windows-related passwords. This might sound like a no-brainer, but many people still don't take advantage of its benefits. Even standalone systems allow you to use local security policies in Windows and derive the same benefits.
In otherwise secure Windows environments, I often see the basics such as "Password must meet complexity requirements" and "Enforce password history" disabled, while at the same time "Maximum password age" is enabled – much to the chagrin of users. Sometimes I'll even see the exact specifications that Microsoft recommends for strong passwords. Having a 42-day maximum password age may be considered a best practice, but that doesn't mean it's right for your business.
The problem is that many Windows shops have yet to define a reasonable password policy. A clear, concise and management-approved policy is essential, yet often ignored because of the political backlash it can cause. Management just doesn't want to deal with it.
Even if you have defined a password policy, you should know that a document in and of itself is not enough. Make sure you have a well-formatted policy that your users know and understand. Also don't overlook all the other passwords that can be exposed in your environment. The password for a non-Windows system can often lead to subsequent exposure, so be sure to educate your users on the value of having different passwords for different systems.
At the end of the day, the password decryption capabilities of tools such as Ophcrack and Elcomsoft's Proactive System Password Recovery can render Windows passwords useless. But that's not the point. One still shouldn't be able to use a good vulnerability scanner such as QualysGuard or Acunetix Web Vulnerability Scanner to crack Windows passwords. If a security consultant or auditor can do it, then a malicious insider or external attacker can do it as well. It's just a matter of time.
Access controls such as passwords are one of the most fundamental aspects of computer and network security, yet today in 2009 we still can't seem to get our arms around it. Politics and lack of management buy-in aside, there's probably no reasonable excuse for having Windows password weaknesses. Make the decision to fix this problem in your business, say, by the end of 2010. Even with all the fancy firewalls, data leak prevention, and malware protection technologies at your disposal, I'm confident that fixing weak passwords across your enterprise - once and for all - will do more to enhance security than all of them combined.
ABOUT THE AUTHOR
Kevin Beaver, is an information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC. Kevin specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security on Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at email@example.com.
This was first published in October 2009