Do We Need Twelve Character Long Passwords?

Saturday, October 02, 2010

PCI Guru


Recently researchers from Georgia Tech released a paper saying that the days of eight character long passwords is over and that twelve character long passwords had arrived.

The researchers based their efforts on the use of the latest graphics cards that have the computing power of a supercomputer, have software development kits and can be programmed in C. 

However, the telling quote about their research came from the CNN Web site which stated, “The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.”

The first thing I thought of was, “What kind of system administrator lets a brute force attack on a single account run for two hours?” 

The answer was no one, not even stupid ones allow that to happen.  As a result, this seemed to be a lot of “Chicken Little” reporting if you think only about a brute force attack in the traditional sense.

But the more I thought about it I did come up with potential uses for their work.  Wireless technologies are a method of communication where a hacker could obtain passwords without setting off alarms.  So, there is a potential threat, but not as great as the news reports are making you believe.

Then there is the portability, or lack thereof, of a system packed with a bunch of graphics cards.  Yes, we will find a way to shrink it in time, but for now, it’s not a possibility.  So even while the wireless scenario is a threat, without the portability, it too is relatively minor.

This is the problem with security research.  You really have to read the research paper to understand if the threat could actually be used outside of the laboratory.  In the case of this threat, most system administrators have put the following controls in place to stop such attacks.

  • Accounts lock after three to five invalid logon attempts.  No running a brute force attack against accounts for two hours straight when you only get three to five logon attempts.
  • Once locked accounts can only be unlocked by contacting the help desk.  So you lock the account, you just call the help desk right?  Think the help desk will wonder why you are constantly asking for a reset?  Eventually, you will not be able to convince the help desk to reset the account.
  • The help desk requires users to uniquely identify themselves by answering a question that only the user would know the answer.  Now you will have to do research into the user to determine their children’s’ names, birthdates, pets’ names, etc.  That of course implies that you got past bullet number two.

The bottom line is that this is why security standards such as the PCI standards are built in layers.  As researchers discover new threats, there are other controls in place to prevent the failure of the control now in question.

However, where security people frequently mess up is in connecting the dots between the current threat and threats exposed months or years ago that were written off because they were believed to be blue sky thinking. 

I have seen examples where, in combination, the current threat plus older threats could be used to compromise security.  It was just all in how the threats were put together and the order they were executed.

This is why I think it is very important that security professionals need to understand their opponent and think like the opponent.  If you cannot understand how to put together an attack, it is very difficult to defend against it. 

The best security professionals I have ever worked with thought like their adversaries.  They were always trying to see things through their opponent’s eyes and think of ways to circumvent controls. 

It was through this sort of analyses that these top security people were able to create almost impenetrable defenses.  I say almost, because even these super security pros understand that security is not perfect.

Cross-posted from PCI Guru

Possibly Related Articles:
Security Awareness
Passwords Threat Modeling
Post Rating I Like this!
Javvad Malik I agree. I think far too often people end up with a blinkered view and don't consider all the practical implications.

Ultimately, criminal organisations operate very similarly to any legitimate business in the sense that they want to maximise their profits with the least amount of effort and risk. Quite often we witness lab-based exploits never being taken up in the real world because there comes a point where the criminal finds it easier and elss risky to whack someone over the back of the head with a crowbar and steal their wallet.
PCI Guru I have received a number of comments regarding off-line attacks. However, if you look at the PCI DSS there are a number of requirements that, if properly implemented, would stop an attacker from readily obtaining a password file from a Directory system and therefor would make getting the password file a problem.
Robb Reck Certainly there are mitigating controls in place to reduce the risk of a password being brute forced, and as responsible professionals we don't want to overstate the risk. But the research on this topic is important, and should be well publicized. One of the layers of our defense in depth strategy has taken a hit. Password that were previously considered practically unbreakable are now more vulnerable.
Javvad Malik Hi Robb,
Research is important and the results should absolutely be published.

But that's where researchers should stop. What you don't want is researchers making some bold statements such as "Chip and PIN is doomed" or for a layman (media reporter) to take a result out of context.

Once a researcher provides the information, security professionals should then analyse and make the call as to whether there is an immediate impact or not. Or what you end up with is a bunch of half-truths and impressionable CEO's breathing down their CISOs neck wanting them to fix the network before the Chinese unleash digital armageddon.
PCI Guru There is a very fine line between responsible and irresponsible research. And knowing which is which is even finer. And just because you can does not imply or mean you should. Not all research should see the light of day and I know that some of it does not. I'm not sure where this research should be, but it is worthwhile to know that something is not as solid as you might think. However, people need to have those of us that have some realworld knowledge put it in perspective.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.