[EAS] Password Cracking Basics

[David Turnmire]

Any form of brute force determining of passwords takes a finite amount 
of time.  The trick is not giving the bad guys enough time. They have 
various tricks to speed things up.  You can slow them down with complex 
or long passwords.  But as has been mentioned, the computer is only 
going to respond so fast to over the net login attempts.  By my math, a 
modestly good password can deal with that approach.  And a lockout 
mechanism can kill it dead.

The other avenue for the bad guy, as has been mentioned, is to look at 
vulnerabilities of the software itself and do an end-run around needing 
to know the password.  The fewer opportunities you present, the fewer 
chances they have of finding that vulnerability.  Which is why security 
folks recommend closing down any IP ports that you don't actually need, 
since each is associated with its own software.

It bares mentioning that you can't assume the attack on a given machine 
will come from outside.  It only takes one employee doing any number of 
things that result in ONE computer getting infected or penetrated for 
that computer to be used to attack others on the same network.  The 
nature of computers are such that the file on them with all of the 
passwords HAS to be freely readable by ANY authorized user of that 
computer.  Or anyone with physical access for that matter.  The 
individual passwords INSIDE that file are encrypted, but the file itself 
is free for the taking.  So...if the bad guy gets any kind of access to 
that computer (physical or via net), they have access to the password 
file.  Which has ALL passwords for ALL the accounts on that computer.

So... hacker takes that file with him and can now decrypt it at his 
leisure on his own computer.  The tools to do this are readily available 
on the net for free.  Gets even scarier for the larger businesses that 
have something called a "domain controller", where one file on one 
computer has ALL the companies passwords!  And all it takes to get 
access to THAT computer's password file is for an Administrator to use 
his "domain administrator" account to access one of the standard office 
computers, thus leaving THAT password available to anyone with access to 
that office computer.  I personally ran a "password audit" a while back 
(pre-Vista, when things got a bit tougher) using one such readily 
available programs on just such a file.  Many companies with IT staff do 
this periodically.  Within 30 minutes over 90% of our staff's passwords 
were cracked using a mediocre office computer.  Several were cracked 
within the first minute.  Letting it run overnight resulted in 97% of 
the users being cracked.  The ones that weren't hacked within a day had 
passwords beyond the oft cited 8 characters.

The moral to that story is EVERYONE's password at a company and 
EVERYONE's "safe computing practices" matters.  As does a layered 
approach to security (installing those security patches, anti-virus 
software, good passwords, etc).  In some regards the EAS boxes can be 
made MORE secure than your office network. If all network access EXCEPT 
the web interface is disabled, then you have restricted the hacker to 
guessing the password (fixed by decent passwords... at least if they 
aren't shared with your office computer!), and the vulnerability of the 
web software and perhaps some one or two other software packages on the 
box.  Which brings me to one of the other issues on my earlier "wish 
list".  Vendors that have a plan for keeping the OS updated (including 
web server software) with security patches rather than just "their code".

Dave