Saturday, October 30, 2010

Web Site Easily Cracks Windows 14-Char Passwords from Hash

CIO Zone has an article by Dan Dieterle has written about a web site put up at Objectif Securite which can crack a 14-character Windows password from an input hash in only a handful of seconds.  Their secret sauce is using fast solid state drives (SSD) to make cracking very fast.

If you are a Windows user then it may help to know, before you completely panic, that using this technique requires getting the stored hash of a password.  This means they've already broken into your computer, and have access to everything, before this could be used.

A common technique on computer systems is to take a password, use a hashing function to turn it into a long, random-looking string, and store that string on the computer.  Then, to verify a password when you type it in, the hash function is applied to what you type in, a long string is generated and it's compared to the stored string.  If they match, then the assumption is that the passwords match and you're authenticated.

Another assumption is that the hashing function is essentially one-way, i.e., you can't take the hashed string and immediately turn it back into a password.  The above web site uses a brute-force type of attack to make this possible and break that assumption.

So, again, to use this to get your password, an attacker would have to have already compromised your system to dig out the hash string.  For a single computer this isn't that big a threat.

What is the threat then?  Well, at a site, say a corporate office, by compromising a single, poorly protected system, say some person's desktop, an attacker could get the hashes and then use this technique to get the password of an important user, even the site or system administrator.  They would then gain immediate access to other more important systems, the entire corporate infrastructure, and important corporate data.  The intruder could potentially live and operate, well-hidden, in such a compromised system for weeks or months.

Etc.

It doesn't seem that long ago that we considered eight-character passwords to be secure.  I used 14-char for a while simply because that was the maximum limit Windows allowed.  Now I use longer passwords (and no, I'm not saying how long), for non-Windows systems and web sites.

Pretty soon, you're going to start seeing other “factors” used to authenticate to a system.  In other words, you'll no longer just type in a password, you'll have to do something else, say answer a question.  Or authentication may involve something else you have with you, like a key of some sort.   Some well-designed financial sites already use such techniques now.