Password hacking is a lot more prevalent than you think. Most IT Security admins think password hacking is a juvenile attack and thwarted by account lockout policies. However, like the rest of the technology world, hacking tools and techniques have grown more sophisticated. In this modern time, a typical teenager “script-kiddie” can go to a local Starbucks, fire up a copy of FireSheep and hijack the web sessions of patrons.
Many years ago, I worked on the consulting side, and it was very common to go into a company, crank up L0phtCrack and show the IT staff that 20% or more of passwords could be cracked in 5 minutes or less. Most cracked passwords were painfully obvious choices that would be found on any top 10 list or would include simple words like the company name, street address, product names, etc. Worst of all, many of the basic passwords were used by users with more privileged access like those in management or in the financial departments.
Of course, to run a tool like L0phtcrack, you needed to be an admin on the network to dump the SAM database, so some IT administrators assume password cracking is a hard thing for an outside hacker to do, and they disregard password hacking attempts. There is a common misconception that the firewall is sufficient to keep someone from stealing the database because attacks are becoming more sophisticated. It is very common for hackers to use phishing attacks and malware to get password hashes from the network and send them off network for cracking or to spool up a local password cracker. Often, a local password cracker will crack the password of the local admin account, then the attacker can fingerprint the network and use that local admin password to gain local admin access to a workstation used by an IT administrator. Hackers can then use tools and techniques to escalate privileges to gain domain level access or access to key servers in the company. For example, they will simply get the password to a domain admin level service accounts used for tape backups, database or emails services and use that account to access data on the network. Oftentimes, hackers go unnoticed for months.
On many networks, the IT staff make a ghost image of a workstation with a simple local admin password and deploy the image to all end-user workstations. This is dangerous. For one, every workstation has the same local administrative password; however, more importantly, it is highly likely the local admin password is the same on the IT administrator’s workstation. If someone were to gain access, they could read all local data on an IT admin’s workstation. Such local data may reveal network information and other confidential data that could help gain higher privileges.
Many years ago, I worked on a network where a ghost image was used to deploy workstations. A very basic admin password on the ghost image was used, and as part of the IT staff’s deployment instructions, the password was to be set to a unique value based on the workstation name/number that would not be obvious to anyone should we have to provide a consultant or end-user with the local admin password. Seemed like a clever idea, and it was; the big flaw was using a simple admin password on the ghost image for convenience. When we had about 200 of the 300 workstations deployed with the new image, we were hit with a virus that ran a local password cracker. It quickly became obvious that the IT workstation admin had skipped the “change password” part of the instructions and about 50 workstations were infected with the virus which gained local administrative access by cracking the simplistic local admin password that should have been changed. Lesson learned: even with test accounts and ghost images do not use a simple password.
As an IT professional, it is your responsibility to use smart passwords and to ensure the integrity of company data and information by disallowing the use of simplistic passwords. Knowledge and education go a long way, but simply telling the users to choose wise passwords will not work. Unless you use a password policy enforcement tool like nFront Password Filter, you will always have users who attempt to use simplistic passwords that can compromise the integrity of your network. Even the most expensive firewall and web application security products do not make up for the weak passwords chosen by end-users.
- Use 15+ character unique passwords for the local administrative account on each corporate workstation.
- Use a 15+ character strong password, even on your ghost image.
- Implement dictionary blacklisting (read tips on creating one here)
- Force users to use reasonable passwords that are not easily hacked. Ideally use a password filter to block the use of simple passwords.
- Consider implementing a password policy enforcement tool like nFront Password Filter
- Do not use the same local administrative password on all corporate workstations.
- Do not use simple, basic passwords on ghost images or test accounts because you will likely overlook changing those passwords later.
- Do not allow users to use simple passwords such as Football1