Guessable Passwords: The Unpatchable Exploit

Sunday, May 20, 2012

f8lerror

71d85bb5d111973cb65dfee3d2a7e6c9

During penetration assessments the pen tester attempts to compromise systems in an effort to penetrate into client networks.

The pen tester tries various methods from exploiting web application vulnerabilities, network layer vulnerabilities, common misconfiguration and users.  

But this is about what is more effective guessing passwords or exploits.

Currently the Exploit Database has 15,873 exploits. Is this all the exploits in the world? No, these are just many of them in one place that’s all. Even if we add another 14,478 to make an even 30,000 public exploits is that truly a large surface area when compared to the millions of systems on the Internet today.

If we pretend there are only 1 million systems on the Internet that is only 3 percent of systems that can be exploited.

In contrast, as of December 31, 2011 there are 2,267,233,742 users on the Internet according to internetworldstats.com. We can even subtract a billion users for good measure and that is still over a billion users remaining.

We use passwords in everything from corporate/personal email, Facebook, banking, taxes and anything else you can imagine.  How many of these users have weak or guessable passwords like password, 123456, Password1 or the real hard one to guess P@ssw0rd ;).  

The big problem lies in these same users make passwords for their corporate systems too and they put your corporation at risk. In data collected 2% of users select a base word of password and 12% use a base word of a season such as summer, winter, spring and fall.

This was from a total user count of 38,148 and across multiple corporate industries not just random website breaches. In essence 5,340 users could be compromised with an attacker guessing passwords like Password1, Summer11, Winter12, and Fall2011.

While these passwords conform to the term complex as defined by Microsoft, they are still weak. Many users take short cuts, this is because they feel they are not a target, not important, their access doesn’t matter, or even out of spite to the organization.

Penetration testers know this and so do the attackers.

image

Passwordmeter.com in the screenshot above says some of these passwords are strong but this is rated strong because the amount of time it would take a computer to crack your password.

A standard desktop computer would take 10 days to crack “Fall2011” according to howsecureismypassword.net, and we wont even talk about how fast GPU cracking could crack this password.

How do attackers use this information? This type of attack is normally executed by using a username brute force. A username brute force tries one password such as Password1 across multiple usernames. This technique avoids lockouts and if run slowly enough it can go unnoticed by system administrators.

Especially if executed against a web mail server, everyone has access to email. However, against a small user base this wouldn’t be very effective but attacking over a hundred users can prove to be very lucrative.  

Once the attacker can access email which is generally controlled by Active Directory and depending on the systems available the possibilities are endless… VPN, Citrix, maybe remote desktop.  

In closing use spaces, use symbols, use phrases changing your password from “Fall2011” to “I love fall!!”  makes it harder to guess and now takes 1 billion years to crack on a desktop PC.

 Eventually pass phrases will have easily guessed phrases too but the clock is ticking.

Possibly Related Articles:
20908
Network Access Control
Information Security
Passwords Access Control Vulnerabilities Penetration Testing Attacks Network Security hackers Brute Force Pentesting
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.