FAQ - passwords

I'm getting lots of questions on my work into passwords and related issues, and it's way overdue to create a FAQ for myself as well as others to answer all those questions.

So in no particular order, I'll start with the questions and my answers here. If you can't find your question or an answer (or blog post) that gives you the info you were looking for, please send my an e-mail at per at my-last-name DOT net.
------

Q: Why this obsession with passwords?
Well, I've said in numerous presentations by now that it probably started with a couple of penetration tests i did some time ago, in a galaxy far, far away:

The first one was a Fxxxxxx YYY company were I managed to compromise several tens of thousands of user accounts in a Windows domain in a single day by simply testing 3 passwords per domain admin account. No accounts got locked out (as far as i know), admins didn't detect anything, and at least one of the accounts were using a password from my list. TA-DA, with domain admin rights you've got access to pretty much anything. No buffer overflows, no advanced tools or tricks, no sniffing, no prior knowledge about anything. ONE DAY.

The second engagement was a bank. Time used to boot my laptop, connect to ethernet (internally in meeting room), sniff, crack Administrator account (windows domain), and prove that the root account/password in the domain gave root access on their Unix systems as well: 15 minutes. (Sure, a bit of luck on some issues there, but hey; 15 minutes!)

Third "war story": I found an 8 digit password on an Windows domain account, belonging to a Solaris sysadmin. I knew him, couldn't resist, and checked the phone register. Unknown number. Called the number, woman answers. With his last name. A-ha! Unlisted phone number. Smart guy, heh? Called him. "Do you know this number xx-xx-xx-xx?". Quiet, maybe for like... 6-7-8 seconds. Then he said: "How the hell did you find my root password?". "I didn't" I said, "but thanks for the info!". He changed them both, different passwords on each system this time. :-)

Q: Is password hash extraction and "cracking" legal, like you do?
Good question. First response is of course "No! Of course not!". But that would be wrong. First "legal" could be international or domestic laws, for most it will be a question about corporate and/or organizational (security) policy. Secondly it is about the purpose of doing this. I'm not doing this to hack, crack, steal, manipulate or destroy anything at all. I'm measuring the strength of current and historical passwords in order to better understand the risks we're all facing by passwords. Maybe even more important; to improve our ability to write better (easier & more secure) password policies, and implement them in such a way that we can actually achieve 100% compliance (can you document that on your corporate domain?).

Q: But you get access to the CEO's password! That's got to be dangerous!
Sure it is. It's a question about trust, chain of custody, separation of duties and understanding the fact that you don't need his (or hers) password to do damage in their name. Not at all. So for the privacy issues you would like to rise, getting access to the password doesn't really change the risk much as I see it. For the business perspective there are many ways to protect confidential information while still measuring password strength through this kind of work.

Q: Have long have you actually beeen doing this stuff?
Well, I'd say 9 years+ as a personal interest during my spare time, even longer on the professional side (penetration testing since 96-97 or so).

Q:Passwords are obsolete. What do you suggest?
Obsolete? Sorry, I don't think we'll get rid of them in the very near future. PIN codes (usually 4 digits...) are being used to protect all kinds of systems now. A PIN code is a password, just with really bad entropy and probably on forced change intervals. (During the NISnet winter school at Finse i said and wrote: "I'm not a crypto guy. To me crypto is either a tool or a challenge, probably with bad passwords at each end of it".) As for suggestions on alternatives to regular passwords, I'll get back to that in some later blog posts.

Q: What is your goal with this password stuff of yours?
You know, sometimes i wonder a little myself. See; this has become time-consuming and a very broad security topic too me over the years. PIN codes, the psychology behind users choice of passwords, policies, detection of hacking attempts, you name it. As of today, August 23, 2010, I would say (1)  Tell people to use long passwords (no other rules, requirements or limitations, (2) tell vendors to remove all default passwords from their systems, (3) tell vendors and service providers to allow the use of long passwords (<128 characters would be nice), (4) tell the government (and others) providing advice on passwords to talk together, to end-users and others, and CO-OPERATE a little better. Oh, and i hope for eternal peace and prosperity for everyone as well. ;-)