Topics on this page:
Many systems come with well-known default passwords which go unchanged by lazy admins. Here are lists, do you have any remaining risks?:
I have a section on password cracking and testing on my system security auditing page. It includes links to useful tools.
Operating systems do not store the user's password,
they store the hash of the password.
The hash
is a one-way function, see my
Just Enough Crypto
page for details.
Most operating systems store the hash of the combination of
a salt plus the user's password.
When the password is (re)set, a new random salt is generated:
Setting:
User provides: password
System generates a random: salt
Stored: salt, hash(salt,password)
When the password is tested at authentication, the stored salt is used:
Testing:
User provides: password
System retrieves stored: salt
Compared: calculated hash(salt,password), stored hash(salt,password)
The salting makes the authentication more secure in two ways. First, two users who happen to pick the same password will almost certainly have different salts, and therefore different stored hashes (and even if they got to see the list of hashes, they would not realize they had the same password as someone else). More significantly, this makes a brute-force attack much more difficult.
As we should expect, Windows does not use the simple but effective security mechanism of salting! Surprisingly, neither did Mac OS X until version 10.3!
How many possible salt values are there?
| Operating system | Bits of salt | Number of possible salt values |
| Windows, Mac OS before OS X 10.4 (ref: http://www.dribin.org/dave/blog/archives/2006/04/28/os_x_passwords_2/) |
0 | 1 That is, a null salt |
| Older UNIX (SunOS, Solaris 2.6,7,8, HP-UX, etc) | 12 | 4,096 |
| Mac OS X 10.4 | 32 | 4,294,967,296 |
| UNIX (Solaris 9 and later, Linux) | 48 | 281,474,976,710,656 |
| OpenBSD | 128 | 340,282,366,920,938,463,463,374,607,431,768,211,456 |
Windows has traditionally supported the LANMAN hash, a rather insecure method for authenticating on a poor networking protocol invented by IBM and used by Microsoft despite the availability of far better alternatives at the time. And Windows still supports LANMAN hashing by default. To create a LANMAN hash:
For the NT hash, calculate the MD4 hash of the user password. MD4, not MD5, due to history, although MD4 is a little less secure than MD5: http://www.rsasecurity.com/rsalabs/node.asp?id=2253
Note that "Windows NT" really means Windows NT 3.*, Windows NT 4.*, Windows 2000, Windows XP, Windows 2003, and so on. The Windows NT password hashing scheme is decent. The problem is that the password is, by default, hashed in the NT scheme and in the weak LANMAN scheme. So the strongest possible password is really no stronger than 7 characters with no upper/lower case distinction. To break the NT password via the LANMAN hash:
Can this weak LANMAN behavior be turned off? Yes! At the possible loss of interoperability with LANMAN hosts, but we're interested in security. Here's how: http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&
But then there are "Rainbow Tables". They are a space-time tradeoff, gaining lots of speed by pre-computing large tables of hashes. A typical Rainbow Table may cover 99.9% of the possible password space with a 10,000:1 tradeoff. That is, within seconds to minutes you can figure out which 10,000-member list contains the password, and then you find that password within 10,000 hash operations. This attack is only practical (for most attackers) against Windows, as the salts used by all other operating systems would make the attack require as many Rainbow Tables (each of which might require several gigabytes of storage) as there are possible salts. See the above table for just how many possible salts there are in non-Windows operating systems, and thus how many parallel Rainbow Tables would be needed.
On to the comparisons!
| Operating system | Notes, Difficulty of Attack |
| LANMAN |
Each chunk contains
7 characters,
drawn from a set of 69
characters: the 95 printable ASCII minus
the 26 lower-case letters.
No salt, so we only have to search the relatively
small LANMAN space itself.
Brute-force search space size: 697 = 7,446,353,252,589 |
| Traditional older UNIX |
Hashing algorithm applied to password plus
salt is a repeated modified DES,
so a 56-bit output multiplied by
the salt space. This is what you have with Solaris 8 and earlier, HP-UX, etc. Brute-force search space size: 212 x 256 = 4,096 x 72,057,594,037,927,936 = 295,147,905,179,352,825,856 |
|
Windows NT family (NT 3.*, NT 4.*, 2000, XP, 2003, Vista, 2008, ...) |
MD4 hashing of the password, but no salt.
The brute-force search space is larger than that of traditional UNIX. However, the lack of a salt in Windows makes a Rainbow Table practical, so brute-force attacks aren't really needed here! Brute-force search space size: 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 |
| "BSD-style" hashing |
MD5 hashing of the password plus the 48-bit salt.
This is what you have with Linux, with most BSDs, and with Solaris 10 and later. Solaris 9 is capable of doing this if you know the trick on my OS-specific security page. Brute-force search space size: 248 x 2128 = 281,474,976,710,656 x 340,282,366,920,938,463,463,374,607,431,768,211,456 = 95,780,971,304,118,053,647,396,689,196,894,323,976,171,195,136,475,136 |
| Mac OS 10.4 |
SHA-1 hashing of the password plus the 32-bit salt.
Brute-force search space size: 232 x 2160 = 4,294,967,296 x 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 = 6,277,101,735,386,680,763,835,789,423,207,666,416,102,355,444,464,034,512,896 |
| Blowfish hashing |
Multiples rounds of the Blowfish cipher
used as a hash,
operating upon the combination of the salt
and the password. This is possible with Linux, BSD, and Solaris 9 and later, and is the default with OpenBSD. Note that the number wraps around two lines... Brute-force search space size: 2448 = 726,838,724,295,606,890,549,323,807,888,004,534,353,641,360,687,318,060,281,490,199,180,639, 288,113,397,923,326,191,050,713,763,565,560,762,521,606,266,177,933,534,601,628,614,656 |
Now, enormous numbers may be loads of fun, and may make it appear that you have some security, but setting a stupid password like, say, "password" is just as guessable regardless of hashing method!
Don't just hand out the system administrator's password! Allow certain users to run only certain commands with sysadmin privileges, with the sudo tool. See http://www.cs.coloradu.edu/~millert/sudo/.
Software piracy (kinda) falls under authentication. Why audit yourself? If your site has pirated software, you may incur huge fines. Disgruntled employees will turn you in for rewards from SPA and BSA (Software Publishers Association and Business Software Alliance), who shows up with federal agents and search warrents. One U.S. Army base was hit for around $2,000,000 in 1996. Fines in the $100,000-200,000 range are common. Autodesk (http://www.autodesk.com/), maker of AutoCAD, has recovered more than US$ 35 million from North American copyright infringers in 1989-1999 (SC Magazine, April 1999, pg 18). The SPAudit tool is available free from http://www.spa.org. It audits what software is installed where, and also inventories hardware and system boot files. Further info is available on software piracy.
| Home Page | Site Map | Public Key |
|
|
|
|
|
|
| © Bob Cromwell Jul 2008. Created with /bin/vi, hosted on OpenBSD with Apache. Root password available here | ||||