« Mass Disappointment as Microsoft Fails to Let Big Brother in Through the USB Port | Main | Zeroshell and My Interop Security Hangover »

May 2, 2008

Ripping Passwords With Your Friend John

Today over on ENP I ran a tutorial from Paul Rubens on how to use John the Ripper:

“As a network administrator, how do you know which users have chosen passwords that can quickly be guessed or discovered using a brute force or dictionary attack, and which have chosen secure ones? After all, you can’t tell just by inspecting the hashes.

“That’s where John the Ripper - or ‘John’ to its friends – comes in. John is a multi-platform open source tool for carrying out smart guesses, wordlist attacks with word mangling, and even brute force attacks, on password hashes. Its primary purpose is to detect weak Unix password, but, according to Solar Designer, John’s developer, ‘besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.’”

And here’s his conclusion:

“How you decide to use John is up to you. You may choose to run it on all the password hashes on your system regularly to get an idea of what proportion of your users’ passwords are insecure. You could then consider how you could change your password policies to reduce that proportion (perhaps by increasing the minimum length.) You may prefer to contact users with weak passwords and ask them to change them. Or you may decide that the problem warrants some sort of user education program to help them select more secure passwords that they can remember without having to write them down.”

I’ve worked in settings where the password requirements were pretty stringent, with software analyzing passwords as they were requested by users and looking out for typical ‘l33t substitutions users might try to make the password at least somewhat memorable. I hated it, too.

Something like John the Ripper might represent a decent compromise: Set a reasonable baseline policy (at least one number, at least one non-alphanumeric character) and do periodic audits to make sure the very weakest passwords that still survive those criteria are flagged.

On the other hand, I just had a frustrating e-mail volley with an admin over a password. It wasn’t that my proposed password wouldn’t have been tough to guess … it was gibberish. The problem was, it was mnemonically simple gibberish (if you’re me), so it was too easy to try to touch-type it in.

In the end, I got myself locked out of the thing the password was protecting (3-strike policy) and had to get the password reset. Then I got locked out again. So I used a password generator, told it to avoid dictionary words and fed it parameters in line with the password policy. It produced a difficult password I will probably not memorize before the timeout makes me set a new one, but there’s zero chance I’ll try to touch-type it in.

I went around hating that for about a day, then I just wrote it down on a 3x5 card, folded up the card, and stuck it in my wallet where it is both safe and accessible, even if you’re sitting in the press room at Interop, which I was quite a bit this past week.

All of which is to say “hard passwords did not kill me.” And that causes me to think that it’s sort of patronizing to imply that hard passwords are just too hard for normal folks to cope with. “Normal folks” can use 3x5 cards and ball point pens, same as I can. If there’s any real problem with passwords at this point, it’s probably that it’s too easy to get people to give them up, and even that seems to be improving.

(Link)

Posted by mhall at 5:22 PM | Add Comment