My response to why 12 character passwords are NOT overkill

I stumbled onto this article this morning from a blog which gives advice and information related to PCI compliance.

A few things I found wrong and misleading, and potentially very dangerous if CSOs, or IT Administrators actually take this information on board. The premise of which the author gives is that researchers can brute force 8 character long passwords within hours, and that these researchers say that 12 character passwords are needed as a default minimum going forward. The author somewhat disagrees and states that because of current rules of thumb pertaining to enterprise password security, that the possibility of cracking an 8 character password is remote. And even more remote is that an attacker would need to some how get these high powered graphics cards INTO an organisation. Again, very un true. Here is my response detailing why this is bad information for any IT person who is trying to keep their organisation safe.

——– RESPONSE ——–

I believe you are slightly missing the point…

[quote]“The first thing I thought of was, “What kind of system administrator lets a brute force attack on a single account run for two hours?”  The answer was no one, not even stupid ones allow that to happen.  As a result, this seemed to be a lot of “Chicken Little” reporting if you think only about a brute force attack in the traditional sense.”[/quote]

You are operating under the assumption that these are ‘on-line’ brute force attacks against an account on a corporate network. This is not the case. You also state that who in their right mind would be able to smuggle in a computer to the organisation packed with high-end graphics card and start cracking passwords…

[quote]“Then there is the portability, or lack thereof, of a system packed with a bunch of graphics cards.  Yes, we will find a way to shrink it in time, but for now, it’s not a possibility.[/quote]

Again you are not looking at the bigger picture. For starters.. no attacker in their right mind would sit there, and try to brute force a domain account from either the internet or on the corporate network. Because as you pointed out, there are a number of methods in place by the administrator to alert about, and block this activity. These sorts of attacks don’t happen. (Unless you happen to be the IT administrator for a local school!)

How are people brute forcing accounts from a company then? By any 1 of the thousand ways an attacker can get INTO your company. Mis-configured web servers, FTP servers, sending a malicious PDF to HR with a backdoor tunneling out over an encrypted DNS tunnel. Once an attacker can exploit ANY weakness to gain a foothold into the company, they can then use that point as a launching pad to either exploit or gain access to more sensitive services.

For example, an un-patched FTP server on the network. If someone found an exploit for this, they could plant a keylogger onto it. They could then sabotage it or turn off the FTP service, forcing a technician or IT admin to (more than likely) ‘log in as a domain admin account’. Once the attacker has this (and this can be obtained hundreds of ways), he could use those credentials to get on to any other service which gives him an entry way into the company and grab the hashes from the domain controller. Once he has these hashes… he dumps them onto his local drive at home, and rips through them with brute force or rainbow tables. All of these bulky graphics cards are in his home computer… he is not taking it into the office, NOR is he brute forcing the accounts ‘on-line’. Brute forcing domain passwords are always performed off-line via the hashes, not in real time against a live account (unless this is another service, but that isn’t the point here)

So while 12 characters are better than 8… it’s still not good enough. If you are interested I wrote a blog post regarding passwords and password security. These attacks would be far less viable if people just started thinking differently about ‘what a password is’.

2 thoughts on “My response to why 12 character passwords are NOT overkill

  1. I agree with your argument, however, if an organization complies with ALL of the PCI DSS requirements, there are other controls that would stop all of the attack vectors that you document here in your post. That was the point that I was making. Just because researchers have found a way to crack eight character passwords does not mean that you necessarily have to throw them out. You just have to step up your vigilance with the other controls so that such an attack is almost impossible.

    • Can you verify something for me? Does PCI DSS require that the BIOS be password protected and locked from having the boot order changed? (This is a serious question, I tried to research before replying to your comment, but I cannot find it in the guidelines).

      If this is NOT in the guidelines, then the PCI DSS controls that try to stop the attack vectors I mentioned may no longer be relevant. Not entirely invalid, but I could think of a few ways to get those hashes if I had local access on a machine (not server) that was connected to that network, even if PCI DSS is properly implemented through out the organisation.

      Thanks for the discussion.

Comments are closed.