Twelve Character Long Passwords

This past week researchers from Georgia Tech released a paper saying that the days of eight character long passwords is over and that twelve character long passwords had arrived. The researchers based their efforts on the use of the latest graphics cards that have the computing power of a supercomputer, have software development kits and can be programmed in C.  However, the telling quote about their research came from the CNN Web site which stated, “The researchers used clusters of graphics cards to crack eight-character passwords in less than two hours.”

The first thing I thought of was, “What kind of system administrator lets a brute force attack on a single account run for two hours?”  The answer was no one, not even stupid ones allow that to happen.  As a result, this seemed to be a lot of “Chicken Little” reporting if you think only about a brute force attack in the traditional sense.

But the more I thought about it I did come up with potential uses for their work.  Wireless technologies are a method of communication where a hacker could obtain passwords without setting off alarms.  So, there is a potential threat, but not as great as the news reports are making you believe.

Then there is the portability, or lack thereof, of a system packed with a bunch of graphics cards.  Yes, we will find a way to shrink it in time, but for now, it’s not a possibility.  So even while the wireless scenario is a threat, without the portability, it too is relatively minor.

This is the problem with security research.  You really have to read the research paper to understand if the threat could actually be used outside of the laboratory.  In the case of this threat, most system administrators have put the following controls in place to stop such attacks.

  • Accounts lock after three to five invalid logon attempts.  No running a brute force attack against accounts for two hours straight when you only get three to five logon attempts.
  • Once locked accounts can only be unlocked by contacting the help desk.  So you lock the account, you just call the help desk right?  Think the help desk will wonder why you are constantly asking for a reset?  Eventually, you will not be able to convince the help desk to reset the account.
  • The help desk requires users to uniquely identify themselves by answering a question that only the user would know the answer.  Now you will have to do research into the user to determine their children’s’ names, birthdates, pets’ names, etc.  That of course implies that you got past bullet number two.

The bottom line is that this is why security standards such as the PCI standards are built in layers.  As researchers discover new threats, there are other controls in place to prevent the failure of the control now in question.

However, where security people frequently mess up is in connecting the dots between the current threat and threats exposed months or years ago that were written off because they were believed to be blue sky thinking.  I have seen examples where, in combination, the current threat plus older threats could be used to compromise security.  It was just all in how the threats were put together and the order they were executed.

This is why I think it is very important that security professionals need to understand their opponent and think like the opponent.  If you cannot understand how to put together an attack, it is very difficult to defend against it.  The best security professionals I have ever worked with thought like their adversaries.  They were always trying to see things through their opponent’s eyes and think of ways to circumvent controls.  It was through this sort of analyses that these top security people were able to create almost impenetrable defenses.  I say almost, because even these super security pros understand that security is not perfect.


10 Responses to “Twelve Character Long Passwords”

  1. 1 TurboBorland
    October 3, 2010 at 4:46 PM

    Followed the line of linkedin->infosecisland->your article.

    Anthony, this guy does not understand the context of the report.

    “A computer stores user passwords in an encrypted “hash” within the operating system. Attackers who locate a password hash can besiege it by building a rainbow table, which is essentially a database of all previous attempts to compromise that password hash. ”

    This is bruteforcing a hash, not bruteforcing the account straight up. Once a hash is obtained, it’s trivial to run a cluster (look at Amazon EC3) for fairly cheap that will be dedicated towards attacking one of or the compromised hash. These can also be used to build up the rainbow table as well by using one machine to work on a set.

    Look at commercial products like Elcomsoft who sell software that can do such tasks with distributed systems and using the GPU.

    Then the harp on the 3 strikes and your out “safety” feature that PCI requires. This makes it incredibly easy to perform a DoS attack at any point in time. That’s quiet the trade-off in time critical environments.

    • October 4, 2010 at 9:47 AM

      Remember, there are other controls in the PCI DSS that protect the directory from being obtained so that an off-line attack of the passwords can be accomplished. It was my assumption that an organization would be following and complying with all of the PCI DSS and therefore the ability to obtain the directory would be nil.

  2. 3 Not a QSA
    August 23, 2010 at 1:22 PM

    Interesting but is the point here that to benefit from the processing power of multiple GPU for the brute-force attack the attack would have to be off-line? The delays of a network connection would negate the benefit of all that horsepower?

    • August 23, 2010 at 5:46 PM

      I agree. This is the problem with academic research. It comes off as sounding like a real threat, but under the covers it’s all “Chicken Little”. The problem is that you have to wade through each report to find out if it’s a real threat or just a great academic exercise. Unfortunately, most of these “big thinks” are just that. Like I always like to say, “In theory, theory works.”

  3. 5 David Griffiths
    August 23, 2010 at 6:01 AM


    “The bottom line is that this is why security standards such as the PCI standards are built in layers. As researchers discover new threats, there are other controls in place to prevent the failure of the control now in question.”

    So …

    The PCI standards mean that I can’t intercept the authorisation flow or the settlement records and pick up Track 2 data like I used to be able to do. However, I have recently discovered that I can still read the track 2 data from the card, so I’m going to have a go at that now. Surprised they missed that one, but I have no doubt that they are working on it.

    Beware, there is irony here.

    Ho Hum!

  4. August 22, 2010 at 6:48 PM

    I believe you are slightly missing the point…

    [quote]”The first thing I thought of was, “What kind of system administrator lets a brute force attack on a single account run for two hours?” The answer was no one, not even stupid ones allow that to happen. As a result, this seemed to be a lot of “Chicken Little” reporting if you think only about a brute force attack in the traditional sense.”[/quote]

    You are operating under the assumption that these are ‘on-line’ brute force attacks against an account on a corporate network. This is not the case. You also state that who in their right mind would be able to smuggle in a computer to the organisation packed with high-end graphics card and start cracking passwords?

    [quote]”Then there is the portability, or lack thereof, of a system packed with a bunch of graphics cards. Yes, we will find a way to shrink it in time, but for now, it’s not a possibility.[/quote]

    Again you are not looking at the bigger picture. For starters.. no attacker in their right mind would sit there, and try to brute force a domain account from either the internet or on the corporate network. Because as you pointed out, there are a number of methods in place by the administrator to alert about, and block this activity. These sorts of attacks don’t happen. (Unless you happen to be the IT administrator for a local school!)

    How are people brute forcing accounts from a company then? By any 1 of the thousand ways an attacker can get INTO your company. Mis-configured web servers, FTP servers, sending a malicious PDF to HR with a backdoor tunneling out over an encrypted DNS tunnel. Once an attacker can exploit ANY weakness to gain a foothold into the company, they can then use that point as a launching pad to either exploit or gain access to more sensitive services.

    For example, an un-patched FTP server on the network. If someone found an exploit for this, they could plant a keylogger onto it. They could then sabotage it or turn off the FTP service, forcing a technician or IT admin to (more than likely) ‘log in as a domain admin account’. Once the attacker has this, he could use those credentials to get on to any other service which gives him an entry way into the company and grab the hashes from the domain controller. Once he has these hashes… he dumps them onto his local drive at home, and rips through them with brute force or rainbow tables. All of these bulky graphics cards are in his home computer… he is not taking it into the office, NOR is he brute forcing the accounts ‘on-line’. Brute forcing domain passwords are always performed off-line via the hashes, not in real time against a live account (unless this is another service, but that isn’t the premise here)

    So while 12 characters are better than 8… it’s still not good enough. If you are interested I wrote a blog post regarding passwords and password security. These attacks would be far less viable if people just started thinking differently about ‘what a password is’. http://mcfly-security.blogspot.com/2010/07/art-of-hiding-passwords-in-plain-sight.html


    • September 18, 2010 at 12:33 PM

      I agree with a lot of what you are saying. But even off-line attacks are usually tough. Most of my clients understood the threat to their user directory systems, so those systems are very well hardened and protected. In addition, the use of user directories that face the Internet has really fallen off. So getting your hands on usable and relevant shadow file or user hive are almost slim to none.

  5. August 22, 2010 at 11:23 AM

    Interesting spot of research. The key accounts usually to go for will be Administrator and Root, as they never lock out. Pick a holiday day, evening or weekend and get cracking.
    Long is strong and definitely helps, but one thing I typically find in my audit work is that nobody checks the logs. Furthermore, one of my favorite audit questions is ‘who’s looking at the logs on Christmas Day, or Thanksgiving?’ – I often get laughed down and the mentality is that people do not think they’re going to get attacked outside of working hours.

  6. December 8, 2010 at 6:23 AM

    While this blog entry points out a lot of valid points, the point of my post was that not every piece of research is always a threat. This all relates to defense in depth. If an organization complies with ALL of the PCI DSS there are other requirements that will prevent such an attack from occurring. Granted, if there are slip ups in complying with these other controls, then all bets are off. But that is where diligence comes into play and why diligence is both important and tough. The tough part of diligence is keeping people engaged while they wait for an incident that may never occur. This is why we are starting to see statistical evidence that supports the fact that a large portion of compromises are the result of human error, not the skills of the attacker. The attacker was just at the right place at the right time and was able to leverage the error. The problem we see in a lot of organizations is that they end up with too many gaps in their controls resulting in holes that can be leveraged to cause a compromise. Most of these gaps are just the result of humans being humans. While technology can address a few of the errors, most errors are the result of poorly tuned monitoring systems that do not allow people to identify real incidents versus false positives. As a result, people resort to human nature and just ignore everything.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


August 2010
« Jul   Sep »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: