Tip

Weak passwords can make your company vulnerable

Are weak passwords really that risky?

I have been focusing on Windows security for the past few years, and have trained, consulted, and developed solutions for both administrators and security auditors in that time period. As I come into contact with all groups that deal with Windows security, the number one problem that I see in almost every environment is password control. Either passwords are left blank or they are so weak they might as well be blank. With the new push for higher security compliance mandated by regulations, the problem is becoming smaller, but it's not solved completely. In this article we will discuss some of the problems and solutions that all companies can implement to reduce the risk that weak passwords invite into your organization.

Problem stems from blank passwords

I have to expose the reality of the weak password problem we are faced with by starting at the operating system level. Up until Windows Server 2003, the default Administrator password, and all subsequent new user accounts, could be created with a blank password. It does not take a Ph.D. in computer security to realize that this is a horrible configuration and can have horrifying consequences.

Other problems arise in that most companies don't want to put end users (employees) in circumstances where they must deal with complex passwords. Historically, passwords becoming more complex for end users are directly proportionate to calls to the help desk for reminders

Requires Free Membership to View

on passwords.

I blame administrators and managers for not solving this problem. If administrators go to their managers and then those managers go to executives with the risks and proven attacks on weak passwords, most companies would immediately implement stronger password policies. Most administrators and managers that I know are aware of these issues, but they just don't feel they will have much leverage when they present the problem.

Why? First off, they feel users in their organization will complain too much about the passwords being too long or complex. Secondly, their higher-ups won't think that it is a "real" problem for their company, so they figure "Why bother?" Finally, they might just think that their company is too small to worry about such a problem.

Solutions for weak passwords

The solutions exist, but they require more than what the default options offer. If your company has configured a password policy that requires a seven- character limit, but does not require any complexity in the password, your solution is not much better than a blank password. The tools that "crack" passwords can decrypt these types in minutes.

If your company recognizes that the default Windows password approach is a problem and has implemented a complex password policy, you have done a great job of stepping up from weak passwords. But it isn't enough. There are tools like Rainbow Crack from Zhu Shuanglai that can use tables to break passwords up to 14 characters, improving password vulnerability in just days.

Ideally, you need to implement a password policy that requires a minimum password length of more than 20 characters. Before you choke on your coffee, let me quickly explain how this will be successful. First, start to use passphrases like "It is a dry heat in AZ."

This is a 23-character, complex password, or passphrase, but it allows the user to easily remember it and makes it more difficult for outsiders to crack. Second, teach your users the concepts of passphrases, which takes no more effort than distributing an inner office memo. Third, get a solution that can change all administrator and service account passwords centrally. Administrator and service account passwords are rarely changed; some have not been changed in over five years! (If you don't believe me, ask your admins when the last time they changed the service account passwords.) An ideal solution for this is Desktop Standard Corp.'s PolicyMaker, which relies on Group Policy to control the changes.

Summary

Weak passwords are an easy target for most crack tools. Therefore, you need to take every precaution to protect your assets by enforcing strong passwords. If a password is not strong enough, there are tools that can easily exploit that. By using passphrases that are complex, your weak password issues will be a thing of the past.


10 tips in 10 minutes: Windows IT management

  Introduction
  Tip 1: The long-range plan for 64-bit hardware
  Tip 2: A Window into interoperability
  Tip 3: Third-party software: Do you need it?
  Tip 4: Buy 64-bit now; you won't regret it
  Tip 5: Maintaining a secure Active Directory network
  Tip 6: Firewalls can help or hurt, so plan carefully
  Tip 7: Weak passwords can make your company vulnerable
  Tip 8: Keys to finalizing your Active Directory migration
  Tip 9: Network safety relies on reaction time to Patch Tuesday
  Tip 10: Make friends with your security auditors

Derek Melber, MCSE, MVP, and CISM, is the Director of Compliance Solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Derek at derekm@desktopstandard.com.

This was first published in September 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.