This past week researchers from Georgia Tech released a paper saying that the days of eight character long passwords is over and that twelve character long passwords had arrived. The researchers based their efforts on the use of the latest graphics cards that have the computing power of a supercomputer, have software development kits and can be programmed in C. However, the telling quote about their research came from the CNN Web site which stated, “The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.”
The first thing I thought of was, “What kind of system administrator lets a brute force attack on a single account run for two hours?” The answer was no one, not even stupid ones allow that to happen. As a result, this seemed to be a lot of “Chicken Little” reporting if you think only about a brute force attack in the traditional sense.
But the more I thought about it I did come up with potential uses for their work. Wireless technologies are a method of communication where a hacker could obtain passwords without setting off alarms. So, there is a potential threat, but not as great as the news reports are making you believe.
Then there is the portability, or lack thereof, of a system packed with a bunch of graphics cards. Yes, we will find a way to shrink it in time, but for now, it’s not a possibility. So even while the wireless scenario is a threat, without the portability, it too is relatively minor.
This is the problem with security research. You really have to read the research paper to understand if the threat could actually be used outside of the laboratory. In the case of this threat, most system administrators have put the following controls in place to stop such attacks.
- Accounts lock after three to five invalid logon attempts. No running a brute force attack against accounts for two hours straight when you only get three to five logon attempts.
- Once locked accounts can only be unlocked by contacting the help desk. So you lock the account, you just call the help desk right? Think the help desk will wonder why you are constantly asking for a reset? Eventually, you will not be able to convince the help desk to reset the account.
- The help desk requires users to uniquely identify themselves by answering a question that only the user would know the answer. Now you will have to do research into the user to determine their children’s’ names, birthdates, pets’ names, etc. That of course implies that you got past bullet number two.
The bottom line is that this is why security standards such as the PCI standards are built in layers. As researchers discover new threats, there are other controls in place to prevent the failure of the control now in question.
However, where security people frequently mess up is in connecting the dots between the current threat and threats exposed months or years ago that were written off because they were believed to be blue sky thinking. I have seen examples where, in combination, the current threat plus older threats could be used to compromise security. It was just all in how the threats were put together and the order they were executed.
This is why I think it is very important that security professionals need to understand their opponent and think like the opponent. If you cannot understand how to put together an attack, it is very difficult to defend against it. The best security professionals I have ever worked with thought like their adversaries. They were always trying to see things through their opponent’s eyes and think of ways to circumvent controls. It was through this sort of analyses that these top security people were able to create almost impenetrable defenses. I say almost, because even these super security pros understand that security is not perfect.