The importance of password audits

Have you ever tried to crack your network user’s passwords? Why would you do that you ask? Simple, compliance check is one reason. The other is to better understand what is possible and what kind of password your users are using. In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.

Have you ever tried to crack your network user’s passwords?  Why would you do that you ask?  Simple, compliance check is one reason.  The other is to better understand what is possible and what kind of password your users are using.  In this post, I’ll discuss why it is a very good idea to do periodic password audits in your network.

You might might think that the idea of running a password cracking program on your network users is a waste of time.  In fact, you have to remember that if the bad guys are most likely to use that type of tool, you should use it first.  That way you will know what a black hat will be able to get out our your password database.  Here are a few reasons why you should do regular password audits.

You should not have the false comfort that your network is safe just because you have turned on complex password group policy in active directory.  The rules of complex password in active directory are as follow:

  • The password is at least six characters long.
  • The password contains characters from at least three of the following five categories:
    • English uppercase characters (A – Z)
    • English lowercase characters (a – z)
    • Base 10 digits (0 – 9)
    • Non-alphanumeric (For example: !, $, #, or %)
    • Unicode characters
  • The password does not contain three or more characters from the user’s account name.

Using those rules, that means that the password Password1 is actually a valid password.  How good of a password is that?  This a valid password because active directory does not actually do a password complexity check.  What it does is more accurately described as a password constraint check.  The idea of complex passwords is that it should force users to not use dictionary words as their passwords.  Since it is not practical to have a full dictionary in Active Directory to make sure that passwords are not in the dictionary, the designers simply impose constraints on what your password should be like.  Hence, the complex password group policy constraints as described above.

Another aspect of passwords is that people will tend to re-use the same password everywhere they can.  What this means is that the password is only as strong as the weakest link.  Namely, if you use the same password on a web site that is easily compromised, the black hat will try the newly discovered password on your bank account as well, knowing full well that it is likely going to be the same password.

If you are not willing, or allowed to do a password audit on your network, you really should take a look a studies that were done on passwords that have been revealed because of security breaches.  There has been two recent incidents that are worthy of reading.  One is an article on Dark Reading (http://www.darkreading.com/blog/archives/2009/02/phpbb_password.html) about the phpbb.com web site hack.  The other one is from Bruce Schneier who did an analysis on passwords that were published by people behind a fake MySpace web page used in a phishing campain.

Whenever possible, you should use some kind of two-factor authentication, such as smart cards or an RSA token.

One of the best known password cracking software is L0pthCrack, which used to be owned by Symantec.  L0pthCrack has recently been re-acquired by its original authors.  They intend to update the venerable software and start selling it again.  There is other software that can be purchased (and some free) that can help you audit your user’s password.

How to use a Smart Card to digitally sign your e-mails in Outlook

If you are using smart card in your network only for authentication, you are missing out on the other things you can do to secure your communication with others. This post will show you how to enable your smart card to be used to digitally sign or encrypt your e-mails in Outlook 2003.

Where I currently work, we are using smart cards in order to secure Active Directory accounts with elevated privileges.  That’s great way to do two-factor authentication because smart cards are integrated in AD natively.  In order to force an account to use a smart card, you only have to click on a checkbox on the user account.

In order to be able to digitally sign and encrypt your e-mails, you have to first take the following steps:

  1. Import the certificate on your smart card into the IE Store
  2. Configure Outlook to use the certificate
  3. Start signing/encrypting your e-mail

Sounds simple enough.  Let’s get into the details of how we do all of that.

The first step is to import the digital certificate that is on the smart card into what is sometimes called the IE store.  Since I use Gemalto‘s GemSafe drivers, it is fairly easy.

  1. I first go to the Certificates section of the Toolbox and click on my certificate.
  2. This enables the Export… button.  Click on it to go to the export screen.
  3. Select Export to IE store and make sure that you select Personal as the certificate store.
  4. Click the Export button.

This puts a copy of the certificate (private and public keys) into your personal store for your use.  You can verify that the certificate was imported properly by opening up Internet Explorer, click on Tools | Internet Options | Content | Certificates.  Your certificate should be listed in the Personal tab.  Click on the certificate.  This will fill the Certificate intended purposes section at the bottom of the dialog box.  If Secure Email is not one of the intended purposes, then you will not be able to use this certificate to sign your e-mails.

Now the last thing to do is to configure Outlook to use that certificate.

  1. In Outlook (I’m using Outlook 2003), click on Tools | Options… | Security tab| Settings… button in the Encrypted e-mail section.
  2. Here we need to choose our signing certificate and encryption certificate.  Click on the Choose… button and select the same certificate in both cases.
  3. Your Hash Algorithm should be SHA1 because it is stronger than the old MD5.
  4. Your Encryption Algorithm is probably defaulted to 3DES, which is the strongest algorithm available.
  5. Make sure that the checkbox for the Send these certificates with signed messages option is checked.  This will then allow your recipient to import your certificate (with your public key only) into their store.  This way they will be able to encrypt e-mails to you and only you will be able to decrypt them.

And there you go.  The next time you write an e-mail, simply click on the Options… button and then the Security Settings… button to open the dialog box that will allow you to digitally sign and encrypt your e-mail.  Make sure that your smart card is inserted.  When you click on the Send button, you will be asked to enter your PIN before your e-mail is signed and encrypted in order to confirm your identity.

I hope this was helpful to you.  Let me know if you have any questions.