Sunday, April 1, 2012

Bad Passwords and Password Complexity

I've heard this time and time again: "We are ok, we require password complexity". lulz, are you serious? I'm not even going to get into how bad windows "password complexity" or the rest of their policies are. I'm just going to remind people of this one simple truth:

Password policies only apply on new passwords.

Which means, if you had accounts before you enabled the policies, you may still be at risk for accounts with password of password, or same as username, or other really retarded "it would never happen to me" passwords.

This is the exact reason why I STILL find weak passwords in environments where password complexity is on, minimum password length of like 20. jimbob's password is still jimbob, because he created that password before the policies were enacted.


Well you could set every person's password to require a change on next login. and then set the password change interval for every 30 days. But, thats not enough. Because you could force every user to reset their password on login, but if there are accounts not being actively used, they will simply ask the attacker to change their password.

What I would do is this:

1. Temporarily turn off the account lockout threshold on the domain.
2. get a list of every user on every domain
3. use metasploit or medusa to try a decently sized dictionary file against all the users
4. make a note of all the users with weak passwords and either disable that account or change the password yourself
5. reenable the lockout threshold to something reasonable, like 3 or 4
6. make sure password complexity is on
7. make sure minimum password length is on, I would make it 15 to kill all chances of LM hashes being stored.
8. disable LM hashes ery'where

You also want to make sure to write up a basic "dont be a idiot with your passwords" email to distribute. Make it humorous so that its memorable, this way when someone is breaking the policy, it will be funny to their coworkers to belittle them. Make the minions do your policing for you.

Some simple "Human Password Policies"
1. Never write down your password anywhere - thats what your brain is for
2. Never give out your password to anyone, you dont give you safe combination to anyone do you?
3. You no longer have a Pass-"word", you have a Pass-"phrase", make it a sentence, a lyric, something funny only you will remember.
4. Like your wife said, the longer the better.

No comments:

Post a Comment