Why Complex Passwords are Crucial to Maintaining Security

Kordel

This past week I found myself conducting an Audit on some IT resources for a client. I was asked to attempt password recovery on some essential equipment, as well as to audit the security setup of the same equipment to determine the level of resistance to different Network threats.

The project, in addition to being enjoyable, was also highly enlightening. I find that whenever I “dig a little deeper” in to a Security topic, I always uncover very interesting (and sometimes terrifying) tidbits about the security, or lack of security, of the different systems and measures that most of us take for granted on a daily basis.

Exhibit A: Client X
Client X required password recovery (for reasons that are not relevant) on a piece of equipment that was extremely crucial to daily operations. What I discovered during this process was terrifying, and speaks in detail to the dangers of slack security measures on the part of IT Professionals !

In processing this recovery (which was successful, by the way), I discovered that the carelessness of the personnel responsible for original configuration of this equipment allowed this critical piece of equipment to be unlocked in a matter of only a few hours (without previous experience on this type of equipment on my part). A seasoned “Hacker” or Security Expert could no doubt have performed the same procedure in under an hour.

The key weaknesses that contributed to the ease of entry included:

  • Lack of Access Control Lists or Access Restrictions
  • No mechanism to prevent or limit access to “Recovery” modes
  • Lack of attention to critical security flaws inherit in the equipment

And, most importantly,

  • Simple administrative account passwords (i.e. a single real-word password, without numbers, case change or symbols of any kind)

That’s a problem….

Before I proceed, let me establish a few things:

  • In the defense of the parties responsible for this equipment, some amount of Physical Access (though VERY BRIEF) is required to carry out the exact method that I utilized to breach this equipment. HOWEVER – a skilled attacker could “probably” manipulate a few other protocol, design OR environment restrictions to bypass the need for physical access
  • Eberly Systems maintains a VERY STRICT standard in regards to Security Auditing and Unauthorized Access of any kind – we will NEVER, under ANY CIRCUMSTANCES perform an Unauthorized attack or access attempt on any device or network.

Now to the good stuff…

Bypassing established security measures is sometimes as simple as finding a “loophole” in equipment or protocals that allows you to bypass Username and Passwords on a given piece of equipment. Other types of attacks require the procurement of “Password Hashes”.

Password hashes are passwords that have been encrypted and stored on equipment, and it is what allows your password to be verified when you enter it into any screen on your computer. Hashes utilize highly specialized Encryption Algorithms (such as MD5, SHA-1, DES, etc) to encrypt your original password, making it unreadable. In some cases, Passwords are processed through either Multiple Algorithms, or the same algorithm Hundreds (or even thousands) of time. The resulting “Hash” cannot be “unscrambled” – the only way to confirm a passwords accuracy is to do the process all over again – enter a password, the system runs the password through the same encryption process (using whatever established Algorithm and process it utilizes), and the resulting Hash is compared against the original. If it’s a match, access is granted. If it does not match, access is denied.

While this is very secure (again, Hashes cannot be “Unscrambled”), it is possible to “crack” Hashes if you can obtain the password hash. Utilizing special software, potential passwords are run through the same algorithm(s) that your target system utilizes, but at very high speeds – hundreds, thousands, or more per second.

The two types of Password Cracking attacks are “Dictionary” and “Brute Force”. Dictionary attacks utilize a pre-built “Dictionary List”, or list of common words in a given language. They will process this list at whatever speed the attacking system is capable of (based on Processor speed and other factors), until a match is found. More advanced Dictionary attacks allow the Dictionary words to be “mangled”, changing the case of some or all letters, adding numbers or symbols before or after the word, and other such things.

Brute Force attacks tend to be much lengthier. They involve specifying a “set” of characters (such as the letters a-z, A-Z, numbers 0-9, or Keyboard Symbols) and, starting at “a”, running through every possible combination of letters, numbers, cases, etc. Brute Force attacks on complex passwords are not viable on most systems – with todays sophisticated hash algorithms and a good password, a standard computer would take hundreds (or thousands) of years to go through EVERY possible combination of symbols, and find a matching Hash output. Obviously, by the time the system would complete this process, the password would have probably changed or become irrelevant.

However, if you have a simple password (let’s say, “password”), and an attacker gains access to your stored “Hash”, and , utilizing  a standard Dictionary file of the English language on a modern Desktop PC, he could (theoretically) uncover your password (i.e. match the hash value) in as little as a half hour (depending on his Dictionary file, program of choice, and other factors). Scary, huh?

If you were to make even a few changes – for example, capitalize the “a”, and add a symbol (let’s choose “#”) at the end, your attackers dictionary attack would fail, and he would have to resort to either a Brute Force attack (which, for such a password and no further information, WOULD take quite a few years), OR a much more sophisticated Mangled Dictionary attack, which could still take a year or more.

If you go even further, and, ditching your original password, create a new “random” password (let’s make one up, say “R5&lk#fw”), the attacker would be 100% unable to crack the hash with a Dictionary attack, and would HAVE to resort to a brute force attack. On a modern Desktop computer, such an attack would likely take Thousands of years (which makes it “impossible” to crack for all intents and purposes).

Hmm… suddenly, it makes a bit more sense when your IT department or favorite Email Provider makes you change your password and add a few extra Symbols or numbers, doesn’t it?

The wrench in all of this is that some Hackers have a lot more “horsepower” behind them then a simple Desktop computer. If you are targeted by a Government or Organized Hacking Group, your Hash may become the target of the combined power of hundreds, thousands (or more) of Computers (CPU’s) – which means that the time to crack your password could go from 1000 years (using round numbers for example), to:

  • 10 years on 100 Processors
  • 1 year on 1000 Processors
  • 1 month on 12,000 Processors

As you can see, you DON’T want to run cross ways of someone with the money or resources to leverage a Server Farm against your Password hash.

Now that you are thoroughly terrified, go change your passwords – and let me leave you with one last tidbit from a recent attack against “Gawker Media”, in which their entire database of User accounts and hashes was obtained and cracked by an organized hacking ring. The following data is provided thanks to DuoSecurity.com.

“As with any password dump, one of the most interesting outcomes is the most popular/common passwords chosen by users.  The top 25 most common passwords from our cracking results were:

2516 123456
   2188 password
   1205 12345678
    696 qwerty
    498 abc123
    459 12345
    441 monkey
    413 111111
    385 consumer
    376 letmein
    351 1234
    318 dragon
    307 trustno1
    303 baseball
    302 gizmodo
    300 whatever
    297 superman
    276 1234567
    266 sunshine
    266 iloveyou
    262 f***you
    256 starwars
    255 shadow
    241 princess
    234 cheese

The vast majority (99.45%) of the cracked passwords were alphanumeric and did not contain any special characters or symbols.”

How many of my readers will be changing their passwords in the next week because of this information? I’m curious – let me know!

fish hook

Catching the Big Phish

By Eberly Systems September 20, 2024
We're all in the same boat trying to avoid cybercrime! Here's our top ways to identify a potential phishing attempt.

Key Notes from the Security Team: Q3 2024

By Eberly Systems September 10, 2024
Focus on integrating with new team members and new customers

Key Notes from the Security Team: Q2 2024

By Eberly Systems July 9, 2024
Keeping you abreast of security news

Eberly Systems Acquires Lebanon County LYLAB Technology Solutions

By Eberly Systems May 2, 2024
West Lawn, PA, May 2, 2024 — Eberly Systems , the West Lawn-based managed IT services and managed voice provider, today announces its acquisition of the Lebanon-based LYLAB Technology Solutions. Eberly Systems seeks to further a movement of people who are motivated and equipped to make a difference in their world through their daily work. They believe in building lasting partnerships based on trust and transparency while delivering industry-leading solutions to support and protect critical business assets. Driven by the principles of people, excellence, integrity, and stewardship, the team prides itself on partnering with companies to securely, reliably, and efficiently grow their businesses. “We cannot be more excited to join forces with the LYLAB team,” comments Kordel Eberly, Eberly Systems President & Founder. “ The integration of LYLAB Technology Solutions into Eberly Systems solidifies our commitment to providing small businesses with unparalleled service and support. We’re proud of this new opportunity to carefully design and manage the IT infrastructure and systems of even more local businesses and communities.” The acquisition solidifies the Eberly Systems commitment to supporting businesses in Lebanon County. Merging the two teams together as one entity offers the collective team the benefit of enhancing capabilities, refining processes, and extending reach to better serve the evolving needs of small businesses in the surrounding area. Future plans include expanding their presence into Lancaster County.
computer help with IT support

Navigating Small Business Success: The Power of IT Outsourcing for SMBs

By Eberly Systems January 16, 2024
A trusted MSP can be your invaluable strategic partner.

Enhancing Business Security and Productivity with Microsoft Office 365

By Eberly Systems January 2, 2024
These 5 key features of Office 365 Business Premium make it essential for businesses to have.
set of keys

Key Notes from the Security Team: Q4 2023

By Eberly Systems December 19, 2023
Eberly Systems has been hard at work over the last year in a concerted effort to enhance the security posture of our clients’ information technology environments. Here are the quarterly updates.
construction site

Customer Success Story: Construction

By Eberly Systems July 3, 2023
After years of steady growth, the workforce at a construction development and property management company was becoming increasingly frustrated by disorganized data. Eberly Systems deployed a hybrid cloud storage solution for efficiency and secure data access.

SharePoint File Storage & Sharing Best Practices 

By Nate M. June 1, 2023
SharePoint file storage has both features and limitations that you should be aware of while storing and accessing files. Here's a rundown.

Best Practices for Creating Passwords in 2023

By Nate M. January 5, 2023
These are the Eberly Systems recommendations for creating good passwords in 2023.
More Posts