[Dshield] Fun with passwords

Chris Brenton cbrenton at chrisbrenton.org
Tue Jul 8 08:26:30 GMT 2008

Great tips Johannes! A couple of additions:

On Mon, 2008-07-07 at 09:05 -0400, Johannes Ullrich wrote:
> If you can't implement two-factor authentication, suggest that your  
> users use passphrases. And configure your policy to allow for pass  
> phrases. (long, but not too picky on character variety)

If your system can not accept passphrases, they can still be useful.
Just use them with some form of key (first letter off of each word, last
letter of of each word, first letter but converted to elite speak, etc.,
etc.). This can create seemingly random strings of characters that are
still easy to remember. An attacker needs to fall back on brute force
rather than rule based attacks which are a lot more time consuming. I'm
also a big fan of math formulas for similar reasons.

> Keep all passwords encrypted. Always. Even if your website is of "low  
> value", consider the passwords important as some users may re-use  
> passwords. You do not want to know your users password.

This can be a bit of a quandary when you start dealing with things like
letting your users check their home e-mail. Let them use something clear
text like POP-3 and the credentials leaving your perimeter are in the
clear and probably the same ones they use internally. Let them encrypt
it with something like POP-3 over SSL or HTTPS and you have now let them
create an outbound VPN they can use for sending corporate sensitive
documents off-site. Kind of a no win situation. 

> Lastly: if a website restricts the password length to lets say "15  
> characters": Chances are the password is not encrypted on the back- 
> end. If it is encrypted ("hashed"), the password would be always the  
> same length as it is entered into the database.

Could also be an older hash system like DES or LanMan. BTW, most folks
don't realize that the NoLMHash reg key still gets set to "0" by
default. So if your users have a 14 character or less password a LanMan
hash is getting created that is a whole lot easier to crack than its NT
hash equivalent (not that an NT hash without salt is all that strong but
its at least better than LanMan).


More information about the list mailing list