Attackers rely to a large degree on sloppy security practices, such as failing to keep systems up to date with the latest security patches, using default Windows accounts — like Guest and Administrator -- lax passwords and account security and a variety of exploitable bad habits by users. Some of the easiest ways to get someone's password include:
- Looking over a user's shoulder as he or she types in the password
- Finding it on a "sticky note" on the user's terminal screen
- Looking under the keyboard
- Asking the user
At Microsoft's TechEd conference a few years ago, one speaker told the audience about a group of hackers in the U.K. who had taken to the streets asking people to take a survey about their computer security habits. At the end of the "survey," they asked respondents to write their user names and passwords for their company computer accounts. These hackers actually collected thousands of account names and passwords using this technique.
Although IT managers may not be able to stop users from being victimized like this, they can implement password policies that can be enforced by Windows. The more you restrict these settings, the worse of an experience it is for users and the more help desk calls it will generate.
Resetting passwords has to be one of the top call generators for any IT help desk. Years ago in a small manufacturing company where I administered the network, an engineer approached me one day complaining about the restrictive password settings I'd enforced. He politely told me that either I had to reduce the password history restriction — the frequency that you can reuse a password — or he would need to have more children because he was running out of passwords he could remember. While I sympathized with him, I recognized the need to maintain security.
I call this the "irritation-to-security" ratio. And, by the way, there are many hacker Web sites that have free password cracking tools for download.
Password security should strike a balance between the inconvenience it causes users and the need to foil attackers who have nothing better to do than crack passwords. Believe me — they are out there. They even have their own conventions.
Establish a password complexity policy
There is a lot of discussion in security circles about how to get users to create strong passwords and how to maintain a good irritation-to-security ratio. Most passwords used today are single words that have some sort of creative placement of characters, using zero for the letter O, @ for the letter A, ! for the letter I, etc.
One of the password crackers' tools is a dictionary. These dictionaries are created by hackers and readily available on the Web. They contain commonly used passwords like Chicago or Yankees, John, Sally, Johnson, etc. Most companies — although they have no technical way to enforce it — require users to not use names of their family or friends, team names and the like. When users started creating passwords like Ch!c@g0 and Y@nk33s, the crackers figured out those iterations too.
It's really all about how long it takes a cracker to figure out a password. If a hacker hits one of the passwords in the dictionary, it's a quick hit, and the user will be compromised. So rule No. 1 is to avoid passwords that might be in the dictionary. Of course, a random group of letters, characters and numbers is best for security, but it's hard to remember. In that case, the user will likely have it written on a piece of paper stuck to his or her terminal.
There are 26 uppercase letters, 26 lowercase letters, 32 characters and 10 numbers — or 96 possible characters in all. Even if we only consider the most common characters, there are still 76 characters. If you use eight-character passwords, there are 6,095,689,385,410,816 possible passwords.
Consider pass phrases instead of passwords
According to Microsoft security expert Jesper Johansson, some cracking tools when run on even moderately powerful hardware can crack 3 million passwords per second. Even at that rate, a brute force attack would take more than six years, although a given password will usually be found in half of the total possible time.
By comparison, according to Johansson, a seven-character password would take only 28 days to crack. Johansson wrote a series of three Microsoft TechNet articles analyzing password security, which is a good read. The first is called The Great Debates: Pass Phrases vs. Passwords.
As mentioned in the TechNet article, another way to make a strong password is to use a pass phrase. Thus, instead of using Abr@h@mL!nc0ln, you would use Four Score and Seven Years Ago. This example is a 30-character password, with spaces. Throw in a couple of characters or numbers, and it can be an incredibly effective way to stop intruders.
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions
Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored
Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and
formerly for Windows File Systems.
This was first published in November 2007