best method to crack my user's passwords and wake them up

best method to crack my user's passwords and wake them up

Post by gaius.petroni » Thu, 24 Jan 2002 18:02:13



yes, i am root and can see everything (although ethically i do not
choose to)

a while back i had a problem where i wanted some windoze users on my
net to conform to certain password standards, which i tried to enforce
in samba, but which i could *not* do since apparently the most i can
do in the smb.conf is force a minimum password length (apparently no
way to require a minimum amount of non-A-Za-z chars)

there are still users who apparently think that password12 or aaaaaa11
or 12345678 are appropriate passwords (fortunately they do not connect
to the outside world)

i want to heighten the sense of security on this *most fundamental* of
issues: difficult passwords.  And i want to do it by running a
dictionary cracker on certain users' passwords and then informing them
of their password (and informing the CEO) as well in order to show him
how insecure his users' data potentially are.

Can anyone advise me on any experiences they have had using this
approach?
Recommend any methodology in particular?
The program "Satan" was popular about 6 years ago.  i am not sure
where it stands now in relation to other security checks.

 
 
 

best method to crack my user's passwords and wake them up

Post by yt.. » Thu, 24 Jan 2002 18:41:09



Quote:> i want to heighten the sense of security on this *most fundamental* of
> issues: difficult passwords.  And i want to do it by running a
> dictionary cracker on certain users' passwords and then informing them
> of their password (and informing the CEO) as well in order to show him
> how insecure his users' data potentially are.

There are about a dozen dict crackers around at the moment.  The latest
versions of all of them are pretty good, imho.

Quote:> Can anyone advise me on any experiences they have had using this
> approach?
> Recommend any methodology in particular?

We used to do it quarterly on a large passwd file.  Without exception, every
time, 10% of user passwords were "password".

The easiest way I found to actually get something done in this regard was to
not explain to management why dictionary passwords in all small letters are
bad, but instead to wrap the passwd utility with a handy p***** script that
checked passwords against the same dictionary used in the crack utility, and
not let them use it if there was a match.  Then to aggressively age all standing
passwords that were cracked during the first hour.

Quote:> The program "Satan" was popular about 6 years ago.  i am not sure
> where it stands now in relation to other security checks.

Its now called "Saint", and its very expensive.  Its pretty cool anyhow though.

-----.

 
 
 

best method to crack my user's passwords and wake them up

Post by Jose Nazari » Thu, 24 Jan 2002 21:52:23



> Its now called "Saint", and its very expensive.  Its pretty cool anyhow though.

huh? saint is freeif you want it. wwdsilx.wwdsi.com/saint/

also look at nessus and sara. two more great tools inspired by satan.

proactive password checkers are nice, yes, however the method you
outline, a perl|python script, typically only looks at matches. instead,
tie it into a library that would do the same permutations on the
passwords as password crackers do (ie reverse, vary caps, substitute
numbers and letters, etc). on Linux, cracklib can do this. on almost all
UNIXen, npasswd can do proactive strength checking. this is a bit more
robust than typical methods like the ones you outlined (though maybe
you're actually doing this, you didn't clearly specify).

secondly, provide your users with strong passwords. good password
generators are out there, i'm a big fan of FIPS181 styled ones
(pronouncable passwords). 'apg' comes to mind. helps them get sound
passwords off the bat.


 
 
 

best method to crack my user's passwords and wake them up

Post by John Thomas - Lucent ASC » Thu, 24 Jan 2002 22:03:41



> yes, i am root and can see everything (although ethically i do not
> choose to)

<snipped>

As a USian, I can only speak from my experiences here.  This is a thing
done very carefully.  Be sure that somewhere in the corporate
security/IT policies there's an allowance for this kind of thing or you
could get run over.  IIRC some fellow working for Intel did this with
your same intentions in mind and ended up fired and jailed.
--

"It is easy to be blinded to the essential uselessness of computers
 by the sense of accomplishment you get from getting them to
 run at all." -- Douglas Adams
---
John M. Thomas
System Administrator
919-463-3313

 
 
 

best method to crack my user's passwords and wake them up

Post by Karl Heye » Thu, 24 Jan 2002 22:24:06




> The easiest way I found to actually get something done in this regard was to
> not explain to management why dictionary passwords in all small letters are
> bad, but instead to wrap the passwd utility with a handy p***** script that
> checked passwords against the same dictionary used in the crack utility, and
> not let them use it if there was a match.  Then to aggressively age all
standing
> passwords that were cracked during the first hour.

This is the right solution, running these crackers is a relatively
expensive task,  so is best used for transitional purposes.  It might
be best to disable the account in passwd and get those needing the
account to require new passwords.

karl.

 
 
 

best method to crack my user's passwords and wake them up

Post by ken_yap_af73f88f_.. » Thu, 24 Jan 2002 22:31:51


|Can anyone advise me on any experiences they have had using this
|approach?
|Recommend any methodology in particular?

SuSE distros have a package called john which tries to find accounts
that have stupid passwords. First time I ran it I found a couple of
users who had used their own names as the password! After warning them,
I think they were too embarrassed to use simple passwords again.

There should be quite a few password cracking packages out there. It
worth keeping your users on their toes. (But then they go and write
their password on postit notes and stick it on their screen, sigh. ;-))

 
 
 

best method to crack my user's passwords and wake them up

Post by Luca Mical » Thu, 24 Jan 2002 22:52:52



Quote:> yes, i am root and can see everything (although ethically i do not
> choose to)

> a while back i had a problem where i wanted some windoze users on my
> net to conform to certain password standards, which i tried to enforce
> in samba, but which i could *not* do since apparently the most i can
> do in the smb.conf is force a minimum password length (apparently no
> way to require a minimum amount of non-A-Za-z chars)

> there are still users who apparently think that password12 or aaaaaa11
> or 12345678 are appropriate passwords (fortunately they do not connect
> to the outside world)

> i want to heighten the sense of security on this *most fundamental* of
> issues: difficult passwords.  And i want to do it by running a
> dictionary cracker on certain users' passwords and then informing them
> of their password (and informing the CEO) as well in order to show him
> how insecure his users' data potentially are.

> Can anyone advise me on any experiences they have had using this
> approach?
> Recommend any methodology in particular?
> The program "Satan" was popular about 6 years ago.  i am not sure
> where it stands now in relation to other security checks.

try john the ripper on a fast (modern) intel machine. it rocks!
 
 
 

best method to crack my user's passwords and wake them up

Post by Ralf Fasse » Fri, 25 Jan 2002 00:03:34



| [root being able to read everything]
| Be sure that somewhere in the corporate security/IT policies there's
| an allowance for this kind of thing or you could get run over.  IIRC
| some fellow working for Intel did this with your same intentions in
| mind and ended up fired and jailed.

Sounds like you're referring to Randal L. Schwartz

http://www.lightlink.com/spacenka/fors/
http://www.stonehenge.com/merlyn/

Altough he was not root on the systems of which he cracked the
passwords.

R'

 
 
 

best method to crack my user's passwords and wake them up

Post by yt.. » Fri, 25 Jan 2002 00:19:48




>> Its now called "Saint", and its very expensive.  Its pretty cool anyhow though.
> huh? saint is freeif you want it. wwdsilx.wwdsi.com/saint/

Gah, my mistake.  Looks like id been using the pay-for version and made an
unfortunate assumption.

-----.

--
Theres a hole in the world like a great black pit and
its filled with people who are filled with shit and the
vermin of the world inhabit it

 
 
 

best method to crack my user's passwords and wake them up

Post by Jonathan Abb » Mon, 28 Jan 2002 03:56:35



| yes, i am root and can see everything (although ethically i do not
| choose to)
|
| a while back i had a problem where i wanted some windoze users on my
| net to conform to certain password standards, which i tried to enforce
| in samba, but which i could *not* do since apparently the most i can
| do in the smb.conf is force a minimum password length (apparently no
| way to require a minimum amount of non-A-Za-z chars)
|
| there are still users who apparently think that password12 or aaaaaa11
| or 12345678 are appropriate passwords (fortunately they do not connect
| to the outside world)
| [...]
|
| Can anyone advise me on any experiences they have had using this
| approach?
| Recommend any methodology in particular?
| The program "Satan" was popular about 6 years ago.  i am not sure
| where it stands now in relation to other security checks.

We have incorporated support for the npasswd
(http://www.utexas.edu/cc/unix/software/npasswd/) password quality
checking library in to the Ganymede userKit.  If you use the Ganymede
userKit with npasswd support to manage your passwords, Ganymede will
check all submitted passwords against as many dictionaries as you
specify when you configure npasswd.  npasswd also supports things like
password history, so that you can ensure that your users don't re-use
passwords within a given time period.

The Ganymede userKit does not yet support this, but we have
implemented logic in our own Ganymede configuration here to
additionally enforce password aging, so that our users have to change
their passwords every three months.

Ganymede's userKit comes out of the box with direct support for
managing both UNIX style passwords (NIS, /etc/passwd, or other, using
either crypt or md5Crypt password hashing) and autogeneration of the
Samba passwd file (either version 1 or version 2).

--
-------------------------------------------------------------------------------

Applied Research Laboratories                 The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX     http://www.arlut.utexas.edu/gash2

 
 
 

best method to crack my user's passwords and wake them up

Post by Robert.Fr.. » Tue, 29 Jan 2002 17:29:06





[...]
> |
> | there are still users who apparently think that password12 or aaaaaa11
> | or 12345678 are appropriate passwords (fortunately they do not connect
> | to the outside world)
[...]
> | Recommend any methodology in particular?
> | The program "Satan" was popular about 6 years ago.  i am not sure
> | where it stands now in relation to other security checks.

> We have incorporated support for the npasswd
> (http://www.veryComputer.com/) password quality
> checking library in to the Ganymede userKit.  If you use the Ganymede
> userKit with npasswd support to manage your passwords, Ganymede will
> check all submitted passwords against as many dictionaries as you
> specify when you configure npasswd.  npasswd also supports things like
> password history, so that you can ensure that your users don't re-use
> passwords within a given time period.

> The Ganymede userKit does not yet support this, but we have
> implemented logic in our own Ganymede configuration here to
> additionally enforce password aging, so that our users have to change
> their passwords every three months.

[...]

Ah, I love those impo*ts. "Please change your password ..."
Then the user starts with <password>1, <password>2, <password>3, ...
until the system accepts <password>1 again. And if the system prevents this, the
passwords *will* be written down, you can bet on that. Although password aging is
generally a good idea, the aging period should be as long as the environment can
tolerate, or at least half a year. If someone can eruate your password, he or she
will know the new ones just a soon ...

Robert
--
Institut fuer Informatik           tel  +41 (0)61 267 14 66
Universitaet Basel                 fax. +41 (0)61 267 14 61
Robert Frank                                        

CH-4056 Basel           (remove any no_spam_ from my return address)
Switzerland             http://www.veryComputer.com/~Robert.Frank

 
 
 

best method to crack my user's passwords and wake them up

Post by Jonathan Abb » Wed, 30 Jan 2002 05:31:26




| > The Ganymede userKit does not yet support this, but we have
| > implemented logic in our own Ganymede configuration here to
| > additionally enforce password aging, so that our users have to change
| > their passwords every three months.
| [...]
|
| Ah, I love those impo*ts. "Please change your password ..."
| Then the user starts with <password>1, <password>2, <password>3, ...
| until the system accepts <password>1 again. And if the system prevents this, the
| passwords *will* be written down, you can bet on that. Although password aging is
| generally a good idea, the aging period should be as long as the environment can
| tolerate, or at least half a year. If someone can eruate your password, he or she
| will know the new ones just a soon ...

Well, I believe npasswd is actually smart enough to prevent some
obvious permutations of passwords, but you're right that that is
a concern.

There's an obvious tension between the risks imposed by rapid password
turnover and the risks imposed by people who use a single password for
years.  The problem is, such people may decide to use their single
password *everywhere* for *years*.  If we force periodic password
turnover, we at least make it less likely that they will permute their
slashdot/amazon/hotmail password at the same time they permute their
work password.

I myself agree that a rather longer password age time is preferable to
a very short one, but not everyone comes down on the same side of
those questions.

As to the question of people writing passwords down, we have a
relatively simple answer for this.  We tell our users not to do this,
and let them know that if they do so in an insecure manner (i.e.,
outside of a secured vault), then may face disciplinary action up to
and including termination.

Not all problems can be solved by technology, after all.

| Robert
| --
| Institut fuer Informatik           tel  +41 (0)61 267 14 66
| Universitaet Basel                 fax. +41 (0)61 267 14 61
| Robert Frank                                        

| CH-4056 Basel           (remove any no_spam_ from my return address)
| Switzerland             http://www.veryComputer.com/~Robert.Frank

--
-------------------------------------------------------------------------------

Applied Research Laboratories                 The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX     http://www.veryComputer.com/

 
 
 

best method to crack my user's passwords and wake them up

Post by Nicholas Bachman » Wed, 30 Jan 2002 08:18:31






> [...]

>>|
>>| there are still users who apparently think that password12 or aaaaaa11
>>| or 12345678 are appropriate passwords (fortunately they do not connect
>>| to the outside world)

> [...]

>>| Recommend any methodology in particular?
>>| The program "Satan" was popular about 6 years ago.  i am not sure
>>| where it stands now in relation to other security checks.

>>We have incorporated support for the npasswd
>>(http://www.veryComputer.com/) password quality
>>checking library in to the Ganymede userKit.  If you use the Ganymede
>>userKit with npasswd support to manage your passwords, Ganymede will
>>check all submitted passwords against as many dictionaries as you
>>specify when you configure npasswd.  npasswd also supports things like
>>password history, so that you can ensure that your users don't re-use
>>passwords within a given time period.

>>The Ganymede userKit does not yet support this, but we have
>>implemented logic in our own Ganymede configuration here to
>>additionally enforce password aging, so that our users have to change
>>their passwords every three months.

> [...]

> Ah, I love those impo*ts. "Please change your password ..."
> Then the user starts with <password>1, <password>2, <password>3, ...
> until the system accepts <password>1 again. And if the system prevents this, the
> passwords *will* be written down, you can bet on that. Although password aging is
> generally a good idea, the aging period should be as long as the environment can
> tolerate, or at least half a year. If someone can eruate your password, he or she
> will know the new ones just a soon ...

        An important part of the whole password thing for users is looking at
where your risks are and what ground you can afford to give.  For
example, if you let the users generate pronounceable random passwords
(Rainbow book recommendations, BTW) you can afford to let them keep the
password for longer.
        Unified passwords (like with PAM+[LDAP/NIS+]) could be a good thing for
your network.  So instead of having 12 passwords taped to their monitor
the user can remember one password that expires more often.  Encourage
users not to use this password for their personal use, though, because
there are big and obvious dangers in having a password like than
compromised.  When they are compromised, however, fixing the problem
only takes one step.
        You might be against that, and want to have separate passwords for each
major service.  In this situation, the compromise of a password isn't
devastating, but you stand a higher chance of written passwords and
<password>1, <password>2, etc.  Also, changing all passwords after a
compromise would be long and tedious; every password for each service
would need to be changed.

--
         Regards,
         N
+----------------------------------------------+

+ For a good laugh check out:                  +
+ http://www.veryComputer.com/;            +
+----------------------------------------------+

 
 
 

best method to crack my user's passwords and wake them up

Post by Jonathan Abb » Wed, 30 Jan 2002 11:58:26




|       Unified passwords (like with PAM+[LDAP/NIS+]) could be a good thing for
| your network.  So instead of having 12 passwords taped to their monitor
| the user can remember one password that expires more often.  Encourage
| users not to use this password for their personal use, though, because
| there are big and obvious dangers in having a password like than
| compromised.  When they are compromised, however, fixing the problem
| only takes one step.

Precisely so.  We provide a unified password mechanism for our users
across UNIX, Windows, email, dial-up, etc.  Making sure that our users
have a minimum number of passwords to remember hopefully mitigates
against the writing-it-down factor.

|          Regards,
|          N

--
-------------------------------------------------------------------------------

Applied Research Laboratories                 The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX     http://www.arlut.utexas.edu/gash2

 
 
 

best method to crack my user's passwords and wake them up

Post by gaius.petroni » Wed, 30 Jan 2002 15:06:14



> > tolerate, or at least half a year. If someone can eruate your password, he or she
> > will know the new ones just a soon ...

>    An important part of the whole password thing for users is looking at
> where your risks are and what ground you can afford to give.  For
> example, if you let the users generate pronounceable random passwords
> (Rainbow book recommendations, BTW) you can afford to let them keep the
> password for longer.
>    Unified passwords (like with PAM+[LDAP/NIS+]) could be a good thing for
> your network.  So instead of having 12 passwords taped to their monitor
> the user can remember one password that expires more often.  Encourage
> users not to use this password for their personal use, though, because
> there are big and obvious dangers in having a password like than
> compromised.  When they are compromised, however, fixing the problem
> only takes one step.
>    You might be against that, and want to have separate passwords for each
> major service.  In this situation, the compromise of a password isn't
> devastating, but you stand a higher chance of written passwords and
> <password>1, <password>2, etc.  Also, changing all passwords after a
> compromise would be long and tedious; every password for each service
> would need to be changed.

Hi Nick
What did Bruce Schneier recommend for us, since he basically says we
can't win either way:

1: any interface that tries to unify all passwords will be subject to
cracking and then the entire infrastructure is compromised

2: users won't live with good passwords; they hate them