All Windows passwords shorter than about 10 characters shouldn't be considered secure, as the NT Hash at this point is so easily reversible that it's basically a "light obfuscation" at best. A single GPU can crack all 8-character passwords in minutes. The single best security setting on a Windows network is to increase the minimum password length to something like 14 characters. Use 20+ for privileged or service accounts.
The second best thing to do is to scan password hashes against "top password" lists and reject any that are in the top-N, where its up to your business policy what 'N' is. I recommend at least the top 10,000 most common passwords being outright rejected.
The third thing is to match against specific leaks. E.g.: if you have john.smith@foo.com and there is a leak of his email and password where the password matches your records, force a password change immediately.
All of the above assumes that MFA is in place, your servers are patched, and there are extensive audit logs on all authentication attempts.
Note that cracking the NT hash rarely results in escalation of privileges due to the pass-the-hash vulnerability. There is almost never any need to crack NT hashes.
The attacks you need to defend against are:
1) online password guessing, 2) Kerberoast, 3) cracking NTLMv2 authentication handshakes, 4) cracking DCCs (Domain Cached Credentials).
1) is solved by applying a moderate list of banned passwords, a sensible lockout threshold and MFA for things on the internet.
2) and 4) are only against high privileged accounts, as they imply access to a low priv account already. (You need an account to request kerberos tickets and if you can read DCCs, you usually can compromise at least a computer account). High privilege accounts should never be accounts that you log on with before you can access a password manager, so they should simply use a 16 character randomly generated password. Make this a requirement in your org, perhaps crack passwords yourself regularly to confirm.
So you're left with 3) which is effectively salted and orders of magnitudes harder to crack compared to NT hashes.
Can a Windows expert chime in here. Why is the NT hash even calculated any more? Is it still the default? Can group policy be configured to tell everything to not used to disable NTLM everywhere? And can't AD be configured to disable RC4 everywhere? Do MS ever plan to properly deprecate NTLM/RC4, disable it in new domains and start displaying prominent warnings when they're enabled?
> The third thing is to match against specific leaks. E.g.: if you have john.smith@foo.com and there is a leak of his email and password where the password matches your records, force a password change immediately.
I’ve wanted to do something similar but how would you do this without direct access to HIBP’s data?
I don’t want to send customer email addresses to a third party, at least not without a contract.
i am forced to use windows machines in my own office. i know people and kids who use windows machines. with new installs, they are being taught to set a password, which is fine for a bank or a super secure machine that holds financial data but for kids and grannies and drone office workers, this gets tiring. Now you are saying to FORCE them to use 14+ characters. HOW? why?
in linux there is a "auto login with this password" which i love to use because there is nothing so private in my machine so i can just go in and out
Something I’ve wished companies would do: publish (on an internal site) all of their employees’ previous passwords each time they’re rotated. Users would be compelled to create better passwords out of sheer embarrassment/competitive spirit.
Hey, I keep seeing people claim biometrics somehow fix the password problem, but I feel like this is just a password you can't change? I can't change my fingerprints nor my retina, but if that data ever gets leaked, then that's vulnerable forever?
In my mind, there's no world where one could make a biometric scanner that couldn't be spoofed (presumably with an arduino USB interface) and then when all these corporations with the worst security (Facebook, Experian, etc) leak my data, can't anyone log into my account?
My country has my fingerprints because I have an id document like everybody else.
A number of states around the world have my fingerprints too because I entered those countries as tourist and I had to put at least one finger on a reader.
Maybe some country included mine also have my retina scan, I had to look into some cameras sometimes.
All those biometric information could be leaked, sold by corrupt civil servants or exchanged with other countries so random passwords generated by a password manager protects me more than biometric information. Am I wrong?
Of course some site could store and share with whoever they want my cleartext password before hashing it but I use one different password per site.
We have id card, which contains client authentication certificates. The procedure on acquiring ID card is the same as passport and carries the same legal power. You have to show up in real life and they take your fingerprints, photo and issue you ID card. ID cards will actually be mandatory for everyone beginning 2023-01-01 - up until now they are optional but very much favored around my circle. There is a fair amount of stuff you can only do with ID card (remotely):
- Set up smart-id for 2FA for banking app in your smartphone. No, I don't have option not to use 2FA.
- Official communication with .gov entities.
- Signature & timestamp service
- Remote notary services (requires video presence and showing ID card additionally to actually using it to put digital signature)
- Logging in various sites (banking, government entities)
- Recovering from lost second factor at national TLD DNS registry.
This is the ultimate authentication mechanism that services use to allow you to perform so much.
To authenticate & put down signature, you must use dedicated PIN code for each of those operations. And of course you must possess the card (use card reader).
Generally, you're not logging in directly with the biometric data. The biometric data never leaves your device, it is just used to protect some kind of secret key on the local device that it actually uses for the authentication when logging in. If you need to log in another device, you would use an existing device to confirm the new login or you would need to use some other authentication method.
Yeah biometrics are not password replacement. The solution everyone uses today is "something you have (2fac device) + something you know (password)" -- the 2fac device needs to be a OTP generator, but you could even further secure this by requiring biometrics to generate the OTP (e.g. imagine a security key that refuses to acknowledge touch unless it senses your fingerprint).
Biometrics without the other two doesn't help anyone.
> but I feel like this is just a password you can't change
Not quite. IBM has (had?) a research program on "cancelable" biometrics. I do not recall perfectly, but I think they were tweaking the encoded biometric sensor data before committing it to DBs. If there is a leak, one can redo it with a new tweak (like a new salt or nonce).
The worst thing about biometrics or hardware devices is that someone can force you to give them out in my opinion. If I have a 6 word passphrase which I remembered, no one can get it unless I give it to them (Yeah, I know there's still some methods https://xkcd.com/538/).
The rockyou.com insight was new to me. I hadn't heard of this breach somehow. I was wondering how they had 32m users and read some more on Wikipedia and they had Facebook apps and some MySpace plugins.
From Wikipedia
> In December 2009, RockYou experienced a data breach resulting in the exposure of over 32 million user accounts. This resulted from storing user data in an unencrypted database (including user passwords in plain text instead of using a cryptographic hash) and not patching a ten-year-old SQL vulnerability. RockYou failed to provide a notification of the breach to users and miscommunicated the extent of the breach
Fun fact: rockyou.txt by now is probably one of the most common/famous wordlists out there, used for doing various types of dictionary attacks and the entire list ships by default with lots of tools, including Kali Linux which is a common distribution for pentesting.
> Instead of passwords, we should use something like FIDO, which allows users to log in using a security key or biometric information.
The problem "in the real world" is that people will lose these keys all the time. I mean, I agree, passwords need to die, and hopefully some of the work that is being done by Apple and others will help bring on an end to passwords, but you can't really talk about replacing passwords with FIDO keys without talking about how to deal with account lockouts, which is a real, hard problem.
Similarly, biometrics may be good for a user ID but they make horrible passwords. These days fingerprints and irises can be copied from photographs.
This is typically the problem with silver bullet solutions. You can easily look at the solution that’s been in place for decades and see where it fails, because you have decades of data to look at. You look at your new shiny solution, and you can see that it solves all of those problems. What you can’t see, because you don’t have decades of data to look at, are all the new problems that will come up with the new solution. You’ll notice some of them, and you can try to patch over them, but you’re bound to miss a lot.
Which isn’t to say that you shouldn’t go with the new solution anyway. But I’m always skeptical when all people say is “it solves all the existing problems.”
Exactly. I asked Per Thorsheim once about resetting 2FA creds, something that is viable for banks etc. that hold a lot of semi-private data which can be used to verify your data but for a much smaller startup with basic account info.
He said he didn't know how it would be done securely.
I see a lot of attacks are due to account takeover and we currently seem torn between allowing an attacker to circumvent the 2FA by account reset or leaving someone unable to access their account for ever.
I started scanning 2FA codes into two phones, my main one and one that I leave hidden at home (and switched off) for backups. Knowing my luck though, I'll ned to access the one that I forgot to scan into the second phone!
I hope that the availability of using device-based (using the built-in hardware in a device they're less likely to lose like a phone/laptop) or account based (like the passkeys synced to iCloud/Google/Microsoft) will help mitigate the issue of people losing them. Regardless of which option they use though, they should treat them like home/car keys and have backups in place.
As for the biometrics, when people talk about biometrics for authentication, they are usually talking about using the biometrics to unlock something stored securely on a device. Without the device that has the actual credential being used, the biometric that has been copied doesn't do attackers much good.
Don't worry, all I can see is ••••••••••••. The browser builds in technology so that it conveniently shows you your password (BingoBingo77), but all I can see is ••••••••••••. Neat, right?
Yubikey is here since 2007... and Windows 10 still doesn't support passwordless, security key only! login. They want you to register a goddamn MS account too...
>In fact, pretty much the only case where complexity and length matter is when we’re defending against offline password cracking. But for every other case in the threat model where passwords are stolen, length and complexity simply don’t matter.
The idea is that most passwords are stolen when they are plaintext. So it only matters that the password is unique to that system. Offline password cracking is relevant for cases like the passphrase used to protect your PGP or SSH keys. Then length and complexity is important. Stuff like the suggested FIDO is the same sort of thing. If you need to protect the FIDO key information then length and complexity of your passphrase is important where offline password cracking is relevant.
> Another legitimate case for password cracking is if someone in accounting encrypted a spreadsheet and then got hit by a bus and other employees needed access to that document
I feel now is the time to shill my free cloud, 18-character length password generator [1]. It is a completely serious password generator only requiring a Twitter mention (@) to summon.
Nice. Seems to be a real improvement over diceware.
> We manually checked and attempted to remove as many profane, insulting, sensitive, or emotionally-charged words as possible, and also filtered based on several public lists of vulgar English words
I kind of wish they had a list _without_ this step though. Vulgar and emotionally charged words are easy to work into stories and easy to remember.
As someone also in this business, I would speculate that they give such advice because it is currently effective. It's hard to say whether that will remain the case when biometrics are more widely used. Perhaps, then, we find that storing hashes of all sorts of biometrics server-side is not such a good idea after all. Or if done client-side, then you basically have public key authentication which also exists today and is often recommended for things like ssh -- don't need biometrics for that, how you unlock your ssh key is up to you.
I've really embraced biometrics now that I understand that they're effective for certain use-cases when properly implemented.
For example, the primary threat model for my mobile device is a combination of shoulder-surfing and theft, because I ride a lot of public transit. So it's way more secure for me to touch the fingerprint sensor rather than constantly peck in my password while I'm being observed. A common criminal or homeless dude who steals/finds my phone won't know my password because I'm not revealing it, and they're unlikely to have access to my finger or its print.
If my threat model were different, say law enforcement/TSA confiscation or something, I might be more worried about walking around with fingerprint auth enabled. So if I head to the airport or enter some other high-risk area, I might consider disabling that, removing the sdcard and/or SIM card temporarily.
Biometrics as a way for my personal device to recognize my physical presence is mature tech, and useful for consumers in ways that passwords aren't.
Most modern biometric auth is implemented by the biometric device acting as an HSM and only agreeing to perform the cryptographic operation with its secrets if the proper biometrics are provided. Biometrics are never directly sent to the service you're authenticating to, instead it's using a form of PKI in the background where your biometric device is an HSM storing the client certificate.
This is less secure against dedicated attackers with physical access, but much more secure against remote attackers as there's usually no way to provide the biometrics to the HSM in software and the authentication key from the biometric device can't be stolen so you must keep persistent access to it to be able to use it every time you need to authenticate.
Things like FIDO Yubikey are basically a password unlocked by biometric information so someone needs the key AND your biometric information to unlock it. Even if someone knew your "biometric" information, they would still need the key.
meh. pro hackers do not crack or bruteforce passwords except as a last resort. they instead find some critical vulnerability that bypasses the need for passwords, or steal the browser sesion, or use malware. this is how so many people got crypto stolen despite strong passwords.
jiggawatts|3 years ago
All Windows passwords shorter than about 10 characters shouldn't be considered secure, as the NT Hash at this point is so easily reversible that it's basically a "light obfuscation" at best. A single GPU can crack all 8-character passwords in minutes. The single best security setting on a Windows network is to increase the minimum password length to something like 14 characters. Use 20+ for privileged or service accounts.
The second best thing to do is to scan password hashes against "top password" lists and reject any that are in the top-N, where its up to your business policy what 'N' is. I recommend at least the top 10,000 most common passwords being outright rejected.
The third thing is to match against specific leaks. E.g.: if you have john.smith@foo.com and there is a leak of his email and password where the password matches your records, force a password change immediately.
All of the above assumes that MFA is in place, your servers are patched, and there are extensive audit logs on all authentication attempts.
mr_mitm|3 years ago
The attacks you need to defend against are: 1) online password guessing, 2) Kerberoast, 3) cracking NTLMv2 authentication handshakes, 4) cracking DCCs (Domain Cached Credentials).
1) is solved by applying a moderate list of banned passwords, a sensible lockout threshold and MFA for things on the internet.
2) and 4) are only against high privileged accounts, as they imply access to a low priv account already. (You need an account to request kerberos tickets and if you can read DCCs, you usually can compromise at least a computer account). High privilege accounts should never be accounts that you log on with before you can access a password manager, so they should simply use a 16 character randomly generated password. Make this a requirement in your org, perhaps crack passwords yourself regularly to confirm.
So you're left with 3) which is effectively salted and orders of magnitudes harder to crack compared to NT hashes.
I talked about this at Troopers; unfortunately the video is not yet available. http://troopers.de/downloads/troopers22/TR22_BetterPasswords...
paulryanrogers|3 years ago
yrro|3 years ago
dijonman2|3 years ago
I’ve wanted to do something similar but how would you do this without direct access to HIBP’s data?
I don’t want to send customer email addresses to a third party, at least not without a contract.
2Gkashmiri|3 years ago
macintux|3 years ago
gmane|3 years ago
In my mind, there's no world where one could make a biometric scanner that couldn't be spoofed (presumably with an arduino USB interface) and then when all these corporations with the worst security (Facebook, Experian, etc) leak my data, can't anyone log into my account?
maxbond|3 years ago
pmontra|3 years ago
A number of states around the world have my fingerprints too because I entered those countries as tourist and I had to put at least one finger on a reader.
Maybe some country included mine also have my retina scan, I had to look into some cameras sometimes.
All those biometric information could be leaked, sold by corrupt civil servants or exchanged with other countries so random passwords generated by a password manager protects me more than biometric information. Am I wrong?
Of course some site could store and share with whoever they want my cleartext password before hashing it but I use one different password per site.
jve|3 years ago
We have id card, which contains client authentication certificates. The procedure on acquiring ID card is the same as passport and carries the same legal power. You have to show up in real life and they take your fingerprints, photo and issue you ID card. ID cards will actually be mandatory for everyone beginning 2023-01-01 - up until now they are optional but very much favored around my circle. There is a fair amount of stuff you can only do with ID card (remotely):
- Set up smart-id for 2FA for banking app in your smartphone. No, I don't have option not to use 2FA.
- Official communication with .gov entities.
- Signature & timestamp service
- Remote notary services (requires video presence and showing ID card additionally to actually using it to put digital signature)
- Logging in various sites (banking, government entities)
- Recovering from lost second factor at national TLD DNS registry.
This is the ultimate authentication mechanism that services use to allow you to perform so much.
To authenticate & put down signature, you must use dedicated PIN code for each of those operations. And of course you must possess the card (use card reader).
Scion9066|3 years ago
kajecounterhack|3 years ago
Biometrics without the other two doesn't help anyone.
sillyinseattle|3 years ago
Not quite. IBM has (had?) a research program on "cancelable" biometrics. I do not recall perfectly, but I think they were tweaking the encoded biometric sensor data before committing it to DBs. If there is a leak, one can redo it with a new tweak (like a new salt or nonce).
Gasp0de|3 years ago
Double_a_92|3 years ago
That's why you can't just change phones, and then login with your fingerprint without setting everything up again.
unknown|3 years ago
[deleted]
astrange|3 years ago
It’s also more secure than a password on a phone because if you’re using it in public someone can watch you type your password in.
Of course, someone might be able to clone your head shape.
asyncscrum|3 years ago
From Wikipedia
> In December 2009, RockYou experienced a data breach resulting in the exposure of over 32 million user accounts. This resulted from storing user data in an unencrypted database (including user passwords in plain text instead of using a cryptographic hash) and not patching a ten-year-old SQL vulnerability. RockYou failed to provide a notification of the breach to users and miscommunicated the extent of the breach
capableweb|3 years ago
hn_throwaway_99|3 years ago
The problem "in the real world" is that people will lose these keys all the time. I mean, I agree, passwords need to die, and hopefully some of the work that is being done by Apple and others will help bring on an end to passwords, but you can't really talk about replacing passwords with FIDO keys without talking about how to deal with account lockouts, which is a real, hard problem.
Similarly, biometrics may be good for a user ID but they make horrible passwords. These days fingerprints and irises can be copied from photographs.
mistercow|3 years ago
Which isn’t to say that you shouldn’t go with the new solution anyway. But I’m always skeptical when all people say is “it solves all the existing problems.”
bluedino|3 years ago
Authenticator app, HID card, or FIDO key. Biometric is coming but the goal is to not have to give people yet another reader/device.
In theory we wouldn't have to worry about someone losing their card or key but they don't always setup all three in their account.
lbriner|3 years ago
He said he didn't know how it would be done securely.
I see a lot of attacks are due to account takeover and we currently seem torn between allowing an attacker to circumvent the 2FA by account reset or leaving someone unable to access their account for ever.
I started scanning 2FA codes into two phones, my main one and one that I leave hidden at home (and switched off) for backups. Knowing my luck though, I'll ned to access the one that I forgot to scan into the second phone!
Scion9066|3 years ago
As for the biometrics, when people talk about biometrics for authentication, they are usually talking about using the biometrics to unlock something stored securely on a device. Without the device that has the actual credential being used, the biometric that has been copied doesn't do attackers much good.
WalterBright|3 years ago
Edit: oh crap
arthurcolle|3 years ago
lofaszvanitt|3 years ago
zokier|3 years ago
https://support.yubico.com/hc/en-us/articles/360013707820-Yu...
upofadown|3 years ago
>In fact, pretty much the only case where complexity and length matter is when we’re defending against offline password cracking. But for every other case in the threat model where passwords are stolen, length and complexity simply don’t matter.
The idea is that most passwords are stolen when they are plaintext. So it only matters that the password is unique to that system. Offline password cracking is relevant for cases like the passphrase used to protect your PGP or SSH keys. Then length and complexity is important. Stuff like the suggested FIDO is the same sort of thing. If you need to protect the FIDO key information then length and complexity of your passphrase is important where offline password cracking is relevant.
lawgimenez|3 years ago
Ah the good ol' bus factor.
bloaf|3 years ago
https://nationstates.fandom.com/wiki/World_Census
richrichardsson|3 years ago
The linked Diceware website run by the daughter has press links about the $2 passwords she sells.
The FAQ notes the passwords are $4 a pop.
The actual price: $8
dankwizard|3 years ago
Paid premium extends this to 21 characters.
1: https://twitter.com/generatepw
nimbius|3 years ago
kadoban|3 years ago
> We manually checked and attempted to remove as many profane, insulting, sensitive, or emotionally-charged words as possible, and also filtered based on several public lists of vulgar English words
I kind of wish they had a list _without_ this step though. Vulgar and emotionally charged words are easy to work into stories and easy to remember.
aljgz|3 years ago
Sounds exactly like the advice an offline cracker would give. ;)
btbuildem|3 years ago
GoblinSlayer|3 years ago
mLuby|3 years ago
lucb1e|3 years ago
Eleison23|3 years ago
For example, the primary threat model for my mobile device is a combination of shoulder-surfing and theft, because I ride a lot of public transit. So it's way more secure for me to touch the fingerprint sensor rather than constantly peck in my password while I'm being observed. A common criminal or homeless dude who steals/finds my phone won't know my password because I'm not revealing it, and they're unlikely to have access to my finger or its print.
If my threat model were different, say law enforcement/TSA confiscation or something, I might be more worried about walking around with fingerprint auth enabled. So if I head to the airport or enter some other high-risk area, I might consider disabling that, removing the sdcard and/or SIM card temporarily.
Biometrics as a way for my personal device to recognize my physical presence is mature tech, and useful for consumers in ways that passwords aren't.
Nextgrid|3 years ago
This is less secure against dedicated attackers with physical access, but much more secure against remote attackers as there's usually no way to provide the biometrics to the HSM in software and the authentication key from the biometric device can't be stolen so you must keep persistent access to it to be able to use it every time you need to authenticate.
lbriner|3 years ago
Things like FIDO Yubikey are basically a password unlocked by biometric information so someone needs the key AND your biometric information to unlock it. Even if someone knew your "biometric" information, they would still need the key.
zekrioca|3 years ago
Interesting way to incentivize their daughter to do something.
hamiltonians|3 years ago
SamBam|3 years ago
iamcrazyyounus|3 years ago
slowhand09|3 years ago
imwillofficial|3 years ago
facepalm