Here’s an overview of a new OWASP project called Passfault, that tries
to help assess password strength in ‘real world’ terms :-
One of the developer’s assertions is that password-creation policies are
not helping users to create secure passwords.
His examples provided on the Analyser website suggest that the problem
he is attacking is what I would call “the fallacy of the pass*word*”.
Weak Passwords that pass typical policies:
qwerQWER1234!@#$ – !1cracked – cracked7& –
Strong Passwords that fail typical policies:
udnkzdjeyhdowjpo – seattleautojesterarbol
I ran my diceware script (grabs random numbers from random.org and looks
up on the diceware wordlist) and tested the pass*phrase* “52nd temper
musk” (this was the first output from the script).
The passfault analyser said “Time To Crack: 17 centuries Total Passwords
in Pattern: 50 Quadrillion”. I’m not sure that his approach is
completely useful …
However, the overall idea is interesting. Instead of saying how
passwords should be formed, he is suggesting that they should be assessed in terms of how long they would take to crack. I have a few issues with that … First comes a glance at the Verizon Data Breach Investigations Report 2012, which tells us that “Brute force & dictionary attacks” are a reducing technique (although still at 29% a useful one). Their fuller results table for the Hacking mechanism shows :-
- 55% — Exploitation of default or guessable credentials
- 40% — Use of stolen login credentials
- 29% — Brute force & dictionary attacks
- 25% — Exploitation of backdoor or command & control channel
- 6% — Exploitation of insufficient authentication (e.g. no login needed)
- 3% — SQL injection
- 1% — Remote file inclusion
- <1% — Abuse of functionality
- 4% — unknown
So having a “stronger” credential takes us out of the first 55% category — but so did even a weak password policy. Inside the 29% is still the best place to find password cracking carried out.
There are of course two main approaches to password cracking — online and offline. The Verizon stats don’t differentiate between the two, but I’m sure that online (where you just try credentials against the live service) is more common, because it is the easiest. In order to exfiltrate a stored password database, you have to have penetrated the organisation already, to some extent, and at that stage the password db is just an additional weapon.
Online password cracking should be dealt with by having account lockout and retry delay systems; there should be no way that the attacker should be able to test more than a small handful of potential passwords before the source of the attempts is blacklisted from the network, and the target accounts are locked (at this point you have to stop and consider your account lockout procedures: if your response is to send a “reactivate” link over external email, how do you verify it isn’t an attacker who is reading the target’s mailbox?).
So instead of instituting a password policy, even one that guides you to make selection by strength directly instead of indirectly, you’d be better off making sure that attackers can’t continue knocking at the doors all day long without being detected & blocked.