Enterprise Security Architect Security Business and Technology...
Transcript of Enterprise Security Architect Security Business and Technology...
![Page 1: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/1.jpg)
Windows Passwords: Windows Passwords: Everything You Need Everything You Need To KnowTo Know
Jesper M. JohanssonJesper M. JohanssonEnterprise Security ArchitectEnterprise Security ArchitectSecurity Business and Technology UnitSecurity Business and Technology UnitMicrosoft CorporationMicrosoft [email protected]@microsoft.com
![Page 2: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/2.jpg)
OverviewOverview
How passwords are storedHow passwords are stored
How passwords are usedHow passwords are used
How passwords are attackedHow passwords are attacked
Password best practicesPassword best practices
![Page 3: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/3.jpg)
How Windows Stores How Windows Stores PasswordsPasswords
![Page 4: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/4.jpg)
In the beginningIn the beginning……
![Page 5: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/5.jpg)
Password RepresentationsPassword Representations
LM LM ““hasheshashes””Old technology used on LAN ManagerOld technology used on LAN Manager
NT hashesNT hashesA.k.a., Unicode password or MD4 hashA.k.a., Unicode password or MD4 hash
Used for authentication on more recent Used for authentication on more recent Windows systemsWindows systems
Cached credentialsCached credentialsDerivation of NT hashDerivation of NT hash
Stored User Names and PasswordsStored User Names and PasswordsCalling application decides on Calling application decides on representationrepresentation
![Page 6: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/6.jpg)
LM LM ““HashHash”” GenerationGeneration
Padded with NULL to 14 charactersPadded with NULL to 14 characters
Converted to upper caseConverted to upper case
Separated into two 7 character stringsSeparated into two 7 character strings
KeyKey
ConstantConstant
Seattle1Seattle1 SEATTLESEATTLE 1******1******== ++
LM HashLM Hash
KeyKey
ConstantConstant
ConcatenateConcatenate
DESDES DESDES
![Page 7: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/7.jpg)
LM LM ““HashHash”” ConsiderationsConsiderations
ItIt’’s not a hashs not a hash
Limited character setLimited character set
Common alphanumeric set onlyCommon alphanumeric set only
Case insensitiveCase insensitive
142 symbols142 symbols
Padded to exactly 14 charactersPadded to exactly 14 characters
Actually two sevenActually two seven--character passwordscharacter passwords
Maximum number of passwords Maximum number of passwords ≈≈6.8*106.8*101212
UnsaltedUnsalted……
![Page 8: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/8.jpg)
SaltingSalting
Prevents deriving Prevents deriving passwords from passwords from password filepassword file
Stored Stored representation representation differsdiffers
Side effect: Side effect: defeats predefeats pre--computed hash computed hash attacksattacksAlice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d
Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac
Cecil:root:209be1:a483b303c23af34761de02be038fde08
Same Password
![Page 9: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/9.jpg)
NT Hash GenerationNT Hash Generation
Hash the passwordHash the password
Store itStore it
unicodeunicodePwdPwd
Seattle1Seattle1 MD4MD4
![Page 10: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/10.jpg)
NT Hash ConsiderationsNT Hash Considerations
Case preservingCase preserving
65,535 symbols65,535 symbols
Maximum length = 127 charactersMaximum length = 127 characters
Number of Number of ≤≤1414--character passwords, character passwords, same char set as LM hash same char set as LM hash ≈≈ 4.6*104.6*102525
Number of Number of ≤≤1414--character password character password (full char set) (full char set) ≈≈ 2.7*102.7*106767
Number of 127Number of 127--character passwords character passwords ≈≈4.9*104.9*10611611
UnsaltedUnsalted
![Page 11: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/11.jpg)
Cached Credentials GenerationCached Credentials Generation
Stored at logonStored at logon
Managed by LSAManaged by LSA
Hash of a hashHash of a hashUnicodeUnicode
PwdPwd
MD4MD4
UsernameUsername
Concatenate
Cached Creds.
![Page 12: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/12.jpg)
Stored User Names And PasswordsStored User Names And Passwords
Credential ManagerCredential Manager
Stores specific passwordStores specific password--based based credentials locallycredentials locally
Applications can leverage for Applications can leverage for password storagepassword storage
Uses DPAPI for storageUses DPAPI for storage
![Page 13: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/13.jpg)
How Passwords Are How Passwords Are UsedUsedAuthenticationAuthentication
![Page 14: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/14.jpg)
Authentication (Authentication (authnauthn))
WinlogonWinlogon passes the passes the authnauthn information information to LSASSto LSASS
LSASS determines the LSASS determines the authnauthn packagepackage
Local or remote login? If remoteLocal or remote login? If remote
KerberosKerberos
MSV1_0MSV1_0
NTLMv2, NTLM, LMNTLMv2, NTLM, LM
The chosen package generates The chosen package generates authnauthn datadata
![Page 15: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/15.jpg)
NTLM And LM Authentication On NTLM And LM Authentication On The WireThe Wire
Authn_RequestAuthn_Request
LM Response LM Response –– DES(LM Hash, nonce)DES(LM Hash, nonce)
Server_ChallengeServer_Challenge –– noncenonce
Authn_ResultAuthn_Result
ClientClient ServerServerNTLM Response NTLM Response –– DES(UnicodeDES(Unicode pwdpwd, nonce), nonce)
![Page 16: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/16.jpg)
NTLMv2 Authentication NTLMv2 Authentication On The WireOn The Wire
Authn_RequestAuthn_Request
Server_ChallengeServer_Challenge –– noncenoncess
Authn_ResultAuthn_Result
ClientClient ServerServer
LM Response LM Response –– DUMMYDUMMY
NTLM v2 Response NTLM v2 Response ––ƒƒ(Unicode (Unicode pwdpwd, , noncenoncess, , noncenoncecc))
![Page 17: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/17.jpg)
LMCompatibilityLevelLMCompatibilityLevel
Level Level SendsSends AcceptsAccepts Prohibits SendingProhibits Sending
00** LM, NTLM, LM, NTLM, LM, NTLM, NTLMv2LM, NTLM, NTLMv2
LM, NTLM, NTLMv2LM, NTLM, NTLMv2
LM, NTLM, NTLMv2LM, NTLM, NTLMv2
LM, NTLM, NTLMv2LM, NTLM, NTLMv2
NTLMv2, Session securityNTLMv2, Session security
11 LM, NTLM, Session LM, NTLM, Session securitysecurity
NTLMv2NTLMv2
22** NTLM, Session securityNTLM, Session security LM and NTLMv2LM and NTLMv2
33 NTLMv2, Session NTLMv2, Session securitysecurity
LM and NTLMLM and NTLM
Level Level SendsSends AcceptsAccepts Prohibits AcceptingProhibits Accepting
44 NTLMv2, Session NTLMv2, Session securitysecurity
NTLM, NTLMv2NTLM, NTLMv2
NTLMv2NTLMv2
LMLM
55 NTLMv2, Session NTLMv2, Session securitysecurity
LM and NTLMLM and NTLM
ClientClient--side impactside impact
ServerServer--side impactside impact
** Default on some OSDefault on some OS
![Page 18: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/18.jpg)
Kerberos AuthenticationKerberos Authentication
Authenticates access to domain Authenticates access to domain resources by domain membersresources by domain members
Uses different operations than NTLMUses different operations than NTLM
Sensitive data is better protected from Sensitive data is better protected from eavesdroppingeavesdropping
RFC compliant (yes, it is!)RFC compliant (yes, it is!)
Uses NT hashUses NT hash
Well documentedWell documented
![Page 19: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/19.jpg)
How Passwords Are How Passwords Are AttackedAttacked
![Page 20: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/20.jpg)
Key PointKey Point
Bad passwords get broken, even when Bad passwords get broken, even when using good storage and authentication using good storage and authentication methods! methods!
SolutionsSolutions
1.1. Use better passwordsUse better passwords
2.2. DonDon’’t let bad guys get the hashest let bad guys get the hashes
![Page 21: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/21.jpg)
Four Types of AttackFour Types of Attack
Passive onlinePassive online
Active onlineActive online
Offline AttacksOffline Attacks
NonNon--electronic attackselectronic attacks
![Page 22: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/22.jpg)
Passive Online Attacks Passive Online Attacks Wire SniffingWire Sniffing
Access and record raw network trafficAccess and record raw network traffic
Wait until Wait until authnauthn sequencesequence
Brute force credentialsBrute force credentials
ConsiderationsConsiderations
Relatively hard to perpetrateRelatively hard to perpetrate
Usually extremely computationally Usually extremely computationally complexcomplex
Tools widely availableTools widely available
![Page 23: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/23.jpg)
Passive Online Attacks Passive Online Attacks ManMan--inin--thethe--Middle and Replay AttacksMiddle and Replay Attacks
Somehow get access to communications Somehow get access to communications channelchannel
Wait until Wait until authnauthn sequencesequence
Proxy Proxy authnauthn--traffictraffic
No need to bruteNo need to brute--forceforce
ConsiderationsConsiderations
Relatively hard to perpetrateRelatively hard to perpetrate
Must be trusted by one or both sidesMust be trusted by one or both sides
Some tools widely availableSome tools widely available
Can sometimes be broken by invalidating trafficCan sometimes be broken by invalidating traffic
![Page 24: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/24.jpg)
SMB Reflection AttackSMB Reflection Attack
1. Hey, I want to connect1. Hey, I want to connect
2. What a coincidence,2. What a coincidence,so do I.so do I.
3. OK, here is3. OK, here isa challengea challenge
4. Thanks! Here4. Thanks! Here’’s your s your challenge, right challenge, right
back at youback at you
5. All right, here5. All right, here’’s my responses my responseto your (my) challenge.to your (my) challenge.
6. That6. That’’s so nice, heres so nice, here’’ssyour response back to youyour response back to you
![Page 25: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/25.jpg)
Cracking v. GuessingCracking v. Guessing
Guessing from the logon promptGuessing from the logon prompt
Very slowVery slow
Easy to detectEasy to detect
Core problem: bad passwordsCore problem: bad passwords
Cracking presumes attacker has hashesCracking presumes attacker has hashes
Hashes may be world readableHashes may be world readable
If not, system has already been hackedIf not, system has already been hacked
Very fastVery fast
Core problem: bad guys with access to Core problem: bad guys with access to hasheshashes
![Page 26: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/26.jpg)
Active Online Attacks Active Online Attacks Password guessingPassword guessing
Try different passwords until one Try different passwords until one worksworks
Succeeds withSucceeds with……Bad passwordsBad passwords
Open authentication pointsOpen authentication points
ConsiderationsConsiderationsShould take a long timeShould take a long time
Requires huge amounts of network Requires huge amounts of network bandwidthbandwidth
Easily detectedEasily detected
Core problem: Bad passwordsCore problem: Bad passwords
![Page 27: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/27.jpg)
Offline AttacksOffline Attacks
Attacker has password databaseAttacker has password database
How? Hard on Windows, easier on UnixHow? Hard on Windows, easier on Unix
Can attack at leisureCan attack at leisure
Password representations must be Password representations must be cryptographically securecryptographically secure
ConsiderationsConsiderations
MooreMoore’’s laws law
Attacks against cached credentials about Attacks against cached credentials about 3x slower3x slower
![Page 28: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/28.jpg)
Offline Attacks Offline Attacks Dictionary AttackDictionary Attack
Try different passwords from a listTry different passwords from a list
Succeeds only with poor passwordsSucceeds only with poor passwords
ConsiderationsConsiderations
Very fastVery fast
Core problem: Bad passwordsCore problem: Bad passwords
![Page 29: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/29.jpg)
Offline Attacks Offline Attacks Hybrid AttackHybrid Attack
Start with DictionaryStart with Dictionary
Insert entropyInsert entropy
Append a symbolAppend a symbol
Append a numberAppend a number
……ConsiderationsConsiderations
Relatively fastRelatively fast
Succeeds when entropy is poorly usedSucceeds when entropy is poorly used
![Page 30: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/30.jpg)
Offline Attacks Offline Attacks BruteBrute--force Attackforce Attack
Try all possible passwordsTry all possible passwordsMore commonly, a subset thereofMore commonly, a subset thereof
Usually implemented with progressive Usually implemented with progressive complexitycomplexity
Typically, LM Typically, LM ““hashhash”” is attacked is attacked firstfirst
ConsiderationsConsiderationsVery slowVery slow
All passwords will eventually be foundAll passwords will eventually be found
Attack against NT hash is MUCH harder Attack against NT hash is MUCH harder than LM hashthan LM hash
![Page 31: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/31.jpg)
Offline Attacks Offline Attacks PrePre--computed Hashescomputed Hashes
Generate all possible hashes a prioriGenerate all possible hashes a priori
Compare to database valuesCompare to database values
Storing hashes requires huge storageStoring hashes requires huge storage
LM LM ““HashesHashes””: 310 Terabytes: 310 Terabytes
NT Hashes < 15 chars: 5,652,897,009 NT Hashes < 15 chars: 5,652,897,009 exabytesexabytes
Solution: Use a timeSolution: Use a time--space tradeoffspace tradeoff
Succeeds due to lack of saltSucceeds due to lack of salt
![Page 32: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/32.jpg)
Offline Attacks Offline Attacks PrePre--computed Hashes computed Hashes –– ConsiderationsConsiderations
Takes significant effort up frontTakes significant effort up front
LM Hashes much more vulnerable due to LM Hashes much more vulnerable due to smaller key space and shorter lengthsmaller key space and shorter length
Web services availableWeb services available
SETISETI--style efforts to generate tablesstyle efforts to generate tables
Do not work against cached credentialsDo not work against cached credentials
MitigationsMitigations
Use good passwordsUse good passwords
Remove LM HashesRemove LM Hashes
![Page 33: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/33.jpg)
PassPass--TheThe--Hash AttacksHash Attacks
Tool computes response from nonce Tool computes response from nonce based on arbitrary hashbased on arbitrary hash
Tools are rare but are availableTools are rare but are available
Instant attackInstant attack
Does not work with cached credentialsDoes not work with cached credentials
LM Response LM Response –– DES(LM Hash, nonce)DES(LM Hash, nonce)
NTLM Response NTLM Response –– DES(UnicodeDES(Unicode pwdpwd, nonce), nonce)
![Page 34: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/34.jpg)
Offline Dictionary Offline Dictionary And Brute Force And Brute Force AttackAttack
![Page 35: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/35.jpg)
NonNon--Technical AttacksTechnical Attacks
Shoulder surfingShoulder surfing
Watching someone type their passwordWatching someone type their password
Common and successfulCommon and successful
Mouthing password while typingMouthing password while typing
Keyboard sniffingKeyboard sniffing
Hardware is cheap and hard to detectHardware is cheap and hard to detect
Software is cheap and hard to detectSoftware is cheap and hard to detect
Both can be controlled remotelyBoth can be controlled remotely
Social engineeringSocial engineering……
![Page 36: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/36.jpg)
Password Cracking at Layer 8Password Cracking at Layer 8
http://zdnet.com.com/2100http://zdnet.com.com/2100--1105_21105_2--5195282.html5195282.htmlhttp://http://story.news.yahoo.com/news?tmplstory.news.yahoo.com/news?tmpl==story&cidstory&cid=528&e=1&=528&e=1&u=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_securityu=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_security
![Page 37: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/37.jpg)
Great Password, Weak ImplementationGreat Password, Weak Implementation
![Page 38: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/38.jpg)
Password Best PracticesPassword Best Practices
![Page 39: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/39.jpg)
Pass Phrases v. PasswordsPass Phrases v. Passwords
![Page 40: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/40.jpg)
Longer Is Better!Longer Is Better!
![Page 41: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/41.jpg)
TechnologyTechnology--Based MitigationBased Mitigation
Disable LM hash storageDisable LM hash storageHKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
Passwords > 14 characters
Certain Unicode characters
Clustering, Windows CE, RTC, ??? brokenClustering, Windows CE, RTC, ??? broken
Set Set NtlmMinClientSecNtlmMinClientSec & 0x80010& 0x80010
Deploy password policyDeploy password policy
Minimum lengthMinimum length
ComplexityComplexity
ExpirationExpiration
ReuseReuse
![Page 42: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/42.jpg)
Password FilterPassword Filter
if(strInList(szPwd,aBadWords))bComplex = FALSE;
if(cchPassword > 9){for(i = 0; i < cchPassword ; i++){
if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; }if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; }if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; }if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue}if(isUnicode(szPwd[i])) {dwUnicode = 1; continue}
}
if(bUserIsAdmin){ //Admins need better passwords than usersif ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) && cchPassword>14)
bComplex = TRUE;} else { //User is not an admin, use lower requirements
if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4)bComplex = TRUE;
}
![Page 43: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/43.jpg)
TechnologyTechnology--Based MitigationBased MitigationMultiMulti--factor authenticationfactor authentication
Why use passwords at all?Why use passwords at all?
Smart cardsSmart cardsTwoTwo--factor authenticationfactor authentication
Very difficult to thwartVery difficult to thwart
High cost of initial deploymentHigh cost of initial deployment
BiometricBiometricTwoTwo-- or threeor three--factor authenticationfactor authentication
Usually defeated with nonUsually defeated with non--technical technical attacksattacks
Very expensiveVery expensive
FailureFailure--proneprone
![Page 44: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/44.jpg)
Fun With BiometricsFun With Biometrics
![Page 45: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/45.jpg)
Detecting Attacks Detecting Attacks -- Account Account LockoutLockout
![Page 46: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/46.jpg)
SummarySummary
How passwords are storedHow passwords are stored
How passwords are usedHow passwords are used
How passwords are attackedHow passwords are attacked
Password best practicesPassword best practices
![Page 47: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/47.jpg)
![Page 48: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/48.jpg)
Passwords Article SeriesPasswords Article Series
http://www.microsoft.com/http://www.microsoft.com/technet/securittechnet/security/secnews/newsletter.htmy/secnews/newsletter.htm
![Page 49: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/49.jpg)
For more informationFor more information
Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!
Order online:Order online:http://www.awprofessional.chttp://www.awprofessional.com/title/0321336437om/title/0321336437
Use promo codeUse promo codeJJSR6437JJSR6437
[email protected]@microsoft.com
![Page 50: Enterprise Security Architect Security Business and Technology …download.microsoft.com/download/a/d/0/ad0f04a3-21b2-4d79... · 2018-10-16 · Brute force credentials Considerations](https://reader034.fdocuments.us/reader034/viewer/2022050405/5f826742c938bb49a7179def/html5/thumbnails/50.jpg)
Jesper M. JohanssonJesper M. [email protected]@microsoft.com
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.