Hide your hash

Hypocrisy of Password Policies

As far as we are concerned, there are two kinds of passwords.   Strong and weak.

These days, you have all this password policy to enforce strong password.  Not only do you have to have passwords longer than gazillion characters, you have to have mixed case, numerics and even a Cyrillic character or two just so that password is strong enough.

And then there are weak passwords.   Not only are they weak, they are often backdoor passwords.  It may be for a database or for IT to do admin tasks, but weak backdoor passwords always exist.   So many people depend on that password that you can’t change it without having a lot of people upset, or even halting some important application or production process.   Backdoor passwords are weak, easy to remember and hardly ever get changed.

Lost Passwords

You will invariably run into lost password.  Just the other day, I completely forgot a password to a WebDAV server I set up not too long ago.    I could set a new password, but I have to go change all these machines and handheld devices that are dependent on this WebDAV server.     This can easily take 30 minutes to an hour.  Life would be easy if I can just recover that one password.

Cracking Your Password

Is there a way to recover lost password?   You know them IT guys will always tell you no.   This is true, in that they can’t see what your passwords are.   Systems are built that way.   But can’t you *really* recover a password?

Well actually there is.    A password is encrypted and stored as a hash.   And given this hash, there are software that can decrypt this password.

Now, these software isn’t some shady crack software intended to be used for breaking into people’s system.  It does have a legitimate use such as, well, retrieving password or finding weak passwords that are easily decrypted.

So I fed the encrypted password value for my WebDAV server into this software and let it run.   Sure, it might take a day or two, but I can wait.

But to my amazement, it spat out the password after only 24 minutes of churning at it.   Only 24 minutes?   That’s less than the amount of time it takes to change the password on all the places that uses it.

Lessons Learned

What this means is that passwords are not as secure as one might think.  And you need to do something about it:

  • Don’t use weak passwords.   More scrambled the password, the longer it takes to decrypt. This also means don’t use your first name, your SS, your phone #, dog’s name, kid’s name, etc. etc.    Yes, all the stuff you’ve been told is really true.
  • If you are a conscientious IT expert, be proactive and try decrypting passwords from hashes.  Get the most security critical password hashes out of Databases or password files and run them through decryption.    How easily these passwords are cracked will shock you, and should prompt you to take an action.
But most importantly,
  • Don’t expose the password hash.  Encrypted may be, but they are still passwords.   You are essentially giving your accesses away when you leave your encrypted passwords out in the open.

Leave a Reply

Your email address will not be published. Required fields are marked *