Password Presentation - P@ssw0rds


In my last post I provided a template business case that InfoSec people could use to justify increasing the minimum password length while also reducing the frequency of enforced password changes. The reasoning being that if users are not forced to regularly change their passwords then they will be more inclined to select complex passwords that are difficult for an attacker to guess or crack (but still easy for them to remember). This is a sound business case but, to really make the point, wouldn’t it be great to also provide empirical evidence that with the default password policy users are actually using weak passwords!?

With some technical knowledge, password hashes can be dumped from a domain controller and subjected to a cracking attack. Chances are, that in domain with a default password policy, many users’ plaintext passwords will be revealed within a reasonable amount of time. Metrics can then be derived, such as the percentage of passwords that were successfully cracked, the average length of passwords selected by users, or common base words selected by users.

Armed with evidence that users are selecting weak passwords and the business case, there should be little trouble convincing senior management that a change in the organisation’s password policy is necessary to keep the organisation secure.

Following the change in the password policy the password hashes can be dumped from the domain controller again and the cracking attack repeated. Further metrics can now be derived - the most obvious being the number of passwords cracked before and after the policy change. There will very likely be a drop in the number of passwords that were cracked, which is great. It shows that the change was justified!

The password policy change will likely have been very visible within the organisation since all users would have been affected. This is the perfect opportunity to engage users and talk about passwords.

I created a presentation to explain to users how passwords are typically stored and the various types of attacks that can be leveraged against these storage mechanisms. The aim was to help them understand what happens behind the scenes when they enter a password into a website. It also educated them about what an attacker is able to do when a website suffers a breach and users’ personal details, including their password, are leaked online.

The presentation ended with some findings from the password audit and provided some tips for users to help them choose strong passwords.

To save someone else the effort of having to create a similar presentation, I’m publishing a sanitised version of mine. Hopefully someone out there finds it useful.

It can be found on SlideShare here.

Comments

Post a Comment

Popular posts from this blog

CAPTCHA, if you can

“ S hould the United Kingdom remain a member of the European Union?” or “A ddylai'r Deyrnas Unedig ddal i fod yn aelod o'r Undeb Ewropeaidd?”, in Wales. This was the question asked of UK citizens on the 23rd of July, 2016. Those who wished to leave the European Union (EU) were in the majority, with a 52 - 48 split. With such a slim majority, many who wished to remain in the EU found ways to express their displeasure. One of the ways they did this was to sign an online petition calling for the UK Government “to implement a rule that if the remain or leave vote is less than 60% based a turnout less than 75% there should be another referendum.” Despite the poor wording [1] , the petition managed to attract nearly 4,000,000 signatures within only four days - the largest amount ever received. Reports surfaced that the large number of signatures may have been the result of fraud , and shortly thereafter approximately 77,000 were removed . How did this happen, and what could ha...
Read more

The Business Case for Increasing Minimum Password Lengths

I love getting root. I also love looking for other people getting root. What I don’t love doing is telling how they can stop other people from getting that sweet sweet root. I know I’m not alone but unfortunately this is what gets many InfoSec folks paid. InfoSec folks have to explain to lay people how to make things more secure in a way that is easy to understand. For many this doesn’t come easily. Your root can be the sweetest root, but if you can’t explain to others why and how it needs to be fixed then you’ve arguably failed as an InfoSec professional.  I’ve recently been in this situation. I’ve needed to justify to senior leadership increasing the minimum password length for Active Directory domain from the default 8 characters to 14. This was a tough sell because users don’t like long passwords. They’re considered harder to remember and a pain to have to enter every time they want to log in. To make this seemingly bitter pill easier to swallow, I also recommended that the ...
Read more