Have you ever tried to crack your network user’s passwords? Why would you do that you ask? Simple, compliance check is one reason. The other is to better understand what is possible and what kind of password your users are using. In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.
You might might think that the idea of running a password cracking program on your network users is a waste of time. In fact, you have to remember that if the bad guys are most likely to use that type of tool, you should use it first. That way you will know what a black hat will be able to get out our your password database. Here are a few reasons why you should do regular password audits.
You should not have the false comfort that your network is safe just because you have turned on complex password group policy in active directory. The rules of complex password in active directory are as follow:
- The password is at least six characters long.
- The password contains characters from at least three of the following five categories:
- English uppercase characters (A – Z)
- English lowercase characters (a – z)
- Base 10 digits (0 – 9)
- Non-alphanumeric (For example: !, $, #, or %)
- Unicode characters
- The password does not contain three or more characters from the user’s account name.
Using those rules, that means that the password Password1 is actually a valid password. How good of a password is that? This a valid password because active directory does not actually do a password complexity check. What it does is more accurately described as a password constraint check. The idea of complex passwords is that it should force users to not use dictionary words as their passwords. Since it is not practical to have a full dictionary in Active Directory to make sure that passwords are not in the dictionary, the designers simply impose constraints on what your password should be like. Hence, the complex password group policy constraints as described above.
Another aspect of passwords is that people will tend to re-use the same password everywhere they can. What this means is that the password is only as strong as the weakest link. Namely, if you use the same password on a web site that is easily compromised, the black hat will try the newly discovered password on your bank account as well, knowing full well that it is likely going to be the same password.
If you are not willing, or allowed to do a password audit on your network, you really should take a look a studies that were done on passwords that have been revealed because of security breaches. There has been two recent incidents that are worthy of reading. One is an article on Dark Reading (http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html) about the phpbb.com web site hack. The other one is from Bruce Schneier who did an analysis on passwords that were published by people behind a fake MySpace web page used in a phishing campain.
Whenever possible, you should use some kind of two-factor authentication, such as smart cards or an RSA token.
One of the best known password cracking software is L0pthCrack, which used to be owned by Symantec. L0pthCrack has recently been re-acquired by its original authors. They intend to update the venerable software and start selling it again. There is other software that can be purchased (and some free) that can help you audit your user’s password.