Password Cracking

You have probably heard from speakers at events that passwords can be broken in a matter of day, hours or less. And then these same speakers have gone on to expound the need for complex passwords, with a certain number of characters, including numbers, special characters and so on.

What these speakers forget to mention is that to begin cracking passwords on a Windows or Linux box, you need to have direct administrative or root access to the password file, which is \Windows\System32\config\SAM for Windows and etc/shadow on a Linux box. On the Windows box, the SAM file is locked so it cannot be copied during normal operation. There is software that can be used to make a copy of the SAM file but it requires administrative privileges to run. On the Linux box, the etc/shadow file is accessed by the system to check for a user′s password hash, and this file can only be copied by somebody with root access.

In the case of a Windows server, it would be possible to copy the SAM file if the server were to be rebooted into, for example, Linux. However, in the case that this is an updated Windows server, one would expect it to have Bitlocker activated, which would make the Linux reboot useless. And also any reboot of a primary or backup domain server ought to ring a whole lot of bells.

Most modern data centers have some kind of monitoring over servers and over who has local and remote access. For a hacker to access a server, he would first have to get past all and every tool that the data center has put in place to protect the server, as well as being able to install malware that gave him or her administrative or root access. And local access should be considered out of question for hackers in the case of most data centers that have serious physical access controls.

An analysis of the most popular options of password cracking software will show that all of them depend on having direct access to the password file. And some of them, such as lOphtcrack, only work if the LM or NTLM hash is still in use on the password files. LM and NTLM should have been turned off a long time ago, ever since Windows 2000 introduced Kerberos as its password scheme.

So we are left with the fact that password cracking, as put forward by many speakers, is not so easy after all in a modern data center. To happen, it would depend on a breakdown of many physical and logical security controls.

On the other hand, you will find many business leaders having a very hard time choosing complex passwords that satisfy the various organizational rules for passwords. And these business leaders, who have a lot of other things to think about, end up writing their passwords down somewhere, usually on a post-it behind their keyboard.

It is time to rethink the complex password theme. Alternatives to passwords are available but for most organizational access needs, they continue to be a useful tool. However, all the noise about password cracking in days or hours is meaningless so long as there are decent physical access controls in place in the data center and all administrative staff is properly vetted during hiring. And then password criteria can be simplified so that business staff can focus on business.

As for password guessing on the Internet, there are other tools to make password cracking difficult or impossible, such as blocking access after x wrong tries.