Cupfighter.net

This post is a reply to this blog post by Jason Kendall.

It all started with this cartoon:

This cartoon basically started a hype about how XKCD was getting “it”. Jason posted a blog post stating that he did not agree with XKCD since:

• While four words in theory have 44 bits of entropy (2⁴⁴), it is actually 250,000 to the power of 4 (250,000⁴) since English only has 4about 250,000 words
• Most people actually would use three words, giving 15,625,000,000,000,000 combinations
• Most people know even less then 250,000 words

So what is my take on this? The key to “it” is at the bottom of the cartoon:

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”

This is really the “it” XKCD does get.

So why do we use password policies in the first place? What problem are we trying to tackle?

First of all we are trying to tackle the problem that users are very bad a picking good password without guidance. This tweet illustrates that: Read more…

Passwords are like Pants... a Creative Commons Attribution, Noncommercial, No Derivative Works image from Richard Parmiter's Flickr fotostream

One of the DefCon contests that most sparked my imagination was the “Crack me if you can” password cracking contest, organized by KoreLogic. The goal of the contest is to crack as many of the password hashes provided as possible. The rules of the contest allow the use of off-site and on-site computer equipment of any kind, but in order to be eligible for any prize money at least one team member had to be physically present at the DefCon conference.

The competition is interesting in more than one way. First of all the contest is educational in setup. Even though the amount of computer power a team can come up with is important in getting to good results, it is not the determining factor in winning or losing the contest. Key to winning or doing well in the contest was understanding human behavior. KoreLogic generated a set of passwords they feel is representative of what they actually encounter in the field. Most corporate environments rely on a common set of rules that are used to enforce user to pick “strong” passwords and force them to change them regularly. While the goal of the rules is actually commendable, KoreLogic’s experience learns them that the human behavior triggered by these rules cause passwords to be very predictable. “If you force employees to change their passwords four times a year, they will select something that naturally changes four times in most cities (except Las Vegas)”, typical passwords we find are things like Winter2010. Once you understand this pattern, you can actually reliably predict what this password will in say 9 months or a year. Teams that actually saw this pattern and used it to make smarter password guesses did better in the competition.
Read more…

Matt Weir presented his research project which was aimed at finding better ways to crack passwords by making better password guesses.

Update: Matt’s blog, Slide deck, Sebastien Raveau’s word list (1, 2)

There are basically two types of password cracking, Online by trying usernames and passwords directly in the login screen. This only gives you a few tries since the system and its countermeasures is still opertional.
Offline, by trying to match passwords against password hashes, mostly for forensic reasons.
Read more…

A few days ago I had a meeting with some fellow security officers and an interesting topic came up: “What is the value of putting up disclaimers when logging into systems”

I think we have all seen them, the annoying pop-up messages or scrolling text before you log onto a system telling you that it is an offence to log on unless you are authorized, etc, etc. If you do not know what I am talking about, here is the MS knowledge base article on how to set it up on a windows box.

The debate was around the question if such disclaimers actually add any security to the system. In order to answer that question we need to understand the origin of the disclaimer a little better. Apparently there has been a a court case in which an hacker who was changed with breaking into a computer system by guessing the administrator password successfully defend himself by stating that when he first opened the system he was asked to “Please enter your username and password”. When he entered his username and password he got a message stating “invalid username or password, please try again”. So he was not trying to break into the system, but just doing what he was requested.

This little story makes me wonder, would this excuse for hacking still fly today. As I am not a lawyer (or have any intentions of becoming one) I am in not a position to give an authoritive answer, but I am going to make a guess based on what I do know about Dutch law. In order for someone to be found guilty of trespassing (either IRL or on a computer) you must prove that the person entered an “area” that he was not allowed to enter and that he knew was restricted. In other words if you just happen to wonder into an restricted area, but you were unable to know that you should not go there it is not trespassing. However if you did jump a fence in the progress, you would be hard put to state that you were not aware. In the case of a computer it would be my opinion that having to enter a username and password should be sufficient reason for you to know that the system is restricted.

In my opinion this measure is one of those measures that we take out of sheer inertia, or to keep up with the Joneses, just like changing your password every month or putting a disclaimer on the bottom of an email.

Like the disclaimer, the monthly password change has a historical origin. Rumor has it that the “industry standard” monthly password change is derived from a calculation of how long it would take to perform brute force password attack on an old mainframe. Based on the outcome of this calculation (two months) changing  your password every month very effectively reduces the risk of your password being cracked. However, the basic assumptions on which this habit is based have changed dramatically. For example due to Moore’s law and Rainbow tables.

Does sticking to these out-dated practices hurt? On the one hand these measures are cheap to implement. It only takes some changes to the registry, group policy or a text file. On the other hand they can be counterproductive. The disclaimer can cause annoyance when you have to click it away multiple times a day and will certainly not be read every time it is displayed.

The once a month password change is worse, because it encourages bad password practices like writing passwords down or using numbered increments. (Password03, Password04, etc)

Better alternatives like awareness trainings and dual factor authentication are available.

I would like to hear your thoughts on the matter fbreedijk (at) schubergphilis (dot) com