Passwords will remain a recurring topic in IT security, whether we like them or not, they are a key control and one which shows no signs of being replaced. The key issue with passwords is the people who set them, the individual! We all know that most users put little effort into setting them and sadly they also put little thought into the implications of systems they are used on being compromised. As can be seen from the spate of recent high profile password leaks.

The key defence used to prevent users from setting weak passwords are password policies. Whilst far from a new concept, they are typically implemented in corporate through the use of Active Directory.

Active Directory supports password complexity

Included within Active Directory is support for password complexity, this feature enforces the following requirements as described by Microsoft (2012);

Passwords must not contain the user's entire samAccountName (Account Name) value or entire displayName (Full Name) value. 

They must contain characters from three of the following five categories:

1. Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrilli characters) 

2. Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) 

3. Base 10 digits (0 through 9) 

4. Non-alphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/ 

5. Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages

The minimum length has to be at least 6 character’s but this is often set as 8 within corporate environments.

The question that remains, is, if a password meets these requirements is it a good one that cannot be guessed? The short and simple answer is no! Not only are people lazy when it comes to setting them, they are also surprisingly predictable and often select the easiest one’s to remember that conforms to the rules. This results in multiple people selecting the same one’s, as discovered in the recent password leaks.

How does this apply in the context of a Windows Domain where password complexity has been set? We see the same pattern, user’s picking the easiest password, and multiple users independently picking the same password! However, these are vastly different to the ones leaked on the Internet.

Performing analysis on passwords actually used in a domain reveals a clear pattern for most users. A dictionary word starting with a capital letter followed by one to four numbers. This results in passwords such as Password1, Welcome1, January2012 and Monday2011. We have also found that setting them around the company name and geographic location of the offices are also common options.

This leads to a key point, current policies don’t factor in how humans actually write passwords, omitting checks for both known and predicable passwords that conform to existing complexity rules. Rules that are mathematically valid only if humans set a truly random password.

Attacks against authentication systems don’t have to be directed against one account. Trying a small number of passwords against all accounts can be very effective, especially in avoiding account lockout, another common Active Directory control.

How many Domain Administrators have ever wondered about their users using “Password1″? It may just surprise them! From our experience Password1 is the new password, there always seems to be someone, or maybe more than one person with this password in a Windows Domain.

Password policies need to account for known and predictable passwords, they need to hold a dictionary of words and they need to prevent users from selecting them, in exactly the same way they prevent one’s that do not meet the minimum character length. The one’s which fall into the “Password1″ category, will forever grow and change as industry good practice guides move with the times, so, what would a suitable replacement for the password be?

Written by: James P. Fisher of Portcullis.

Reference:

Microsoft (2012)
http://technet.microsoft.com/en-us/library/cc786468%28v=ws.10%29.aspx (accessed 1st of February, 2013)

Any questions/feedback?

If you have any further question/feedback regarding the Password is dead, long live “Password1″ article, please do get in touch! We would like to hear your thoughts. You may contact us at: labs@portcullis-security.com

Categories