Home page logo

basics logo Security Basics mailing list archives

Re: RE: ADS Password Storage Protection
From: eric.baechle () dhs gov
Date: 19 Jul 2006 17:15:24 -0000

With all due respect to all;

We've wandered way off the topic.  The discussion was on "Active Directory Services (ADS) Storage Protection" 
methodologies.  Mathematics proves what password types are entrophically stronger, and proactive password auditing 
proves what passwords are pratically stronger.  The debate here is not length vs. complexity in passwords but the 
succeptibility to password storage systems to attack.

Password length and complexity remains a very valid discussion.  Password recovery plays an especially important part 
in obtaining access to systems not connected to the originally compromised system.  For example, if I use the same 
password for my banking as I use for my computer at home; someone that cracked my home computer password now has 
credentials for my bank web-account.

The important fact here is that regardless of my attempts to strengthen my password, someone that has the ability to 
crack my password on my home computer has the ability to "recover" my password no matter how strong it is through means 
other than cracking.  Access to my system to recover the password hashes means that an intruder has the same level of 
access required to install root kits and key-loggers.

In keeping with the discussion topic.  If I obtained the password hashes using PWDUMP or other extraction tool, I have 
all I need to be able to authenticate as any user including, Administrator using one of the modified open-source SMB 
clients.  Upon accessing the system as Administrator (SID 500 - to prevent trolls from starting arguments about 
renaming accounts), I obtain access to all connected ADS systems (including the workstations).  From this launchpad I 
can install root-kits and key loggers on distributed client systems using ADS group-policy and pushing MSI packages.  
And finally, I just wait for you to type your 200+ character pass-phrases.

Upon looking at the anatomy of an attack, the threat comes not from the ability to crack a "strong password" (however 
you define strong=long, etc).  Instead the origin of the attack comes from obtaining access to the password hash 

What I propose is that discussions on password length vs strength is purely academic rather than practical to system 
security.  Creating super-long passwords (more than 8 characters or so) does not provides a theoretical increase in 
protection to systems but not a practical one.  Credential passing algorythms such as Kerberos, should use strong 
pre-shared or one-time keys for transmitting the passwords so they can't be sniffed.

So my question to you is, do you REALLY think your passwords are secure?


Eric Baechle, CISSP/ISSEP, etc.
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security

This list is sponsored by: Norwich University

The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]