Friday, January 19, 2007

Microsoft, the weakest link in your password policy?

Take a close look at the picture below. You can click on it to supersize it. The highlighted group policy setting affects how passwords are stored on your local machine. In my case, the "LAN Manager hash value" is stored when my password is changed. This is the default, out-of-the-box setting of this important security policy. Why is this important?

Well, I downloaded a program called "ophcrack" last weekend that managed to decrypt all of the local passwords - seven of them - in just over 5 minutes. My local administrator password on this machine is a 9 alphanumeric characters so I thought it was a bit stronger than 5 minutes of clock time!

This feat was easy to achieve because the LAN Manager hash is basically insecure. LAN Manager hashes are relatively easy to crack with a brute force cryptographic attack. The hashes that are created have the following characteristics:

  • The new password is padded with null characters until it's exactly 14 characters long
  • All lowercase characters in the password are converted to uppercase
  • The password is split into two 7 character chunks
  • Each chunk is used as a DES key to encrypt a specific string
  • Concatenates the two strings into a 128-bit string and stores the result

As with anything the stars have to align for a bad guy to make this work. He has to have access to your machine and he needs to run the decrypt program on a machine that has administrator access. In my case, my domain account is in the local administrators group. Also, I pretended I went out to lunch and left my machine unlocked. The rest was easy.

Once a bad guy has access to your machine it's possible to get the local passwords and other goodies like your VPN, network shares and Passport passwords as well. And, if you happen to be logged on to the network the bad guy can attack the SAM database on the domain controller.

My advice? Enable the group policy so the LAN Manager password is not stored! You can have a very complex password policy but if you are allowing LAN Manager hashes to be stored...

p.s. If you're interested in cryptography I highly recommend Bruce Schneier's Applied Cryptography book. It's my standard reference.

Technorati Tags:
, , , ,

1 comment:

Brent Rockwood said...

It is shocking, especially since these brute force tools have been widely available for over a decade. Finally this setting is enabled by default in Vista.