Security Tip: Password cracking reminder
Passwords are being cracked around the world as we speak.
In the old days, we measured password strength by the time it took for attackers to crack the passwords from the hashes, or other encoded/encrypted formats that they would be retrieved in. The longer your passwords could withstand brute force cracking attacks, the stronger we considered them. From this tenet, came the wisdom that passwords that used mixed case, special characters and that were longer were stronger than shorter less special-character inclusive ones. Attackers reinforced this tenet by building tools for performing dictionary scanning tools that would quickly crack passwords based on dictionary words, even with replacements like 3 for e, or 1 for I, etc. and they've only gotten better. Attackers have made a quantum leap in password cracking in the last few years. They've developed "Rainbow" type tools that do the heavy processor and math workload up front and then use database-type storage and retrieval to search massive archives of pre-computed password hashes to retrieve the known passwords.
This change in tactic has largely led to huge increases in password cracking capabilities. Passwords that used to take days to weeks to crack can now be cracked in seconds if the attacker has suitable database capabilities, storage and access to the pre-computed cracked hashes. Attackers have even taken this a step further and created huge networks of distributed, parallel cracking systems and applications for folks to "contribute" CPU cycles to either cracking or pre-computing the hashes for later use. Right now, attackers use their machines, Bot-nets and all kinds of other ways to get massive amounts of pre-computed hashes to continually reduce the effectiveness of even the strongest of passwords.
As security practitioners, we must remain aware. In most cases, we must assume that except in extremely rare circumstances, if an attacker gets the password file or hashes, they can/will/have broken the passwords. This is a huge change in mindset for many (not all, but many) security folks. Time is no longer on our side. In many cases, it is faster to crack the password than to change it across an enterprise, especially if politics, change controls and cross-platforms are involved. Quite simply, we must checkmate the attacker before they get the password hashes. This involves utilizing continual assessment and mitigations on all systems, application risk reduction and preventing the holes that attackers exploit to get at the hashes.
http://en.wikipedia.org/wiki/Password_cracking
MicroSolved, Inc.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
