Password Presentation - P@ssw0rds


In my last post I provided a template business case that InfoSec people could use to justify increasing the minimum password length while also reducing the frequency of enforced password changes. The reasoning being that if users are not forced to regularly change their passwords then they will be more inclined to select complex passwords that are difficult for an attacker to guess or crack (but still easy for them to remember). This is a sound business case but, to really make the point, wouldn’t it be great to also provide empirical evidence that with the default password policy users are actually using weak passwords!?

With some technical knowledge, password hashes can be dumped from a domain controller and subjected to a cracking attack. Chances are, that in domain with a default password policy, many users’ plaintext passwords will be revealed within a reasonable amount of time. Metrics can then be derived, such as the percentage of passwords that were successfully cracked, the average length of passwords selected by users, or common base words selected by users.

Armed with evidence that users are selecting weak passwords and the business case, there should be little trouble convincing senior management that a change in the organisation’s password policy is necessary to keep the organisation secure.

Following the change in the password policy the password hashes can be dumped from the domain controller again and the cracking attack repeated. Further metrics can now be derived - the most obvious being the number of passwords cracked before and after the policy change. There will very likely be a drop in the number of passwords that were cracked, which is great. It shows that the change was justified!

The password policy change will likely have been very visible within the organisation since all users would have been affected. This is the perfect opportunity to engage users and talk about passwords.

I created a presentation to explain to users how passwords are typically stored and the various types of attacks that can be leveraged against these storage mechanisms. The aim was to help them understand what happens behind the scenes when they enter a password into a website. It also educated them about what an attacker is able to do when a website suffers a breach and users’ personal details, including their password, are leaked online.

The presentation ended with some findings from the password audit and provided some tips for users to help them choose strong passwords.

To save someone else the effort of having to create a similar presentation, I’m publishing a sanitised version of mine. Hopefully someone out there finds it useful.

It can be found on SlideShare here.

Comments

Popular posts from this blog

MWR Hackfu Challenge 2013

The Business Case for Increasing Minimum Password Lengths