Why a 127-character long password is not necessarily stronger than a 4-character long password

The title of this posting comes from Marcus Murray’s blog. Marcus blogged in great detail about the NTLM issue that I’ve mentioned before. He also pointed out that I was mistaken referring to the hash in question as NTLMv2 hash – v2 applies to session security protocol but not to the hash. My bad.

Just to re-iterate the effects of possibility of using NTLM hash instead of the user name/password combination:

  • There’s no need to brute force your password – throw away your rainbow tables, you only need the hash;

  • The Great Debates: Pass Phrases vs. Passwords are over – none is good, as the weakest link is  elsewhere;

  • All those people who over years asked thousands of times how to disable NTLM and become Kerberos-only environment, had a bloody good reason; and

  • Securing the enterprise against targeted attacks suddenly becomes much harder, as we must pay special attention to pretty much all logon scenarios and make sure the environment is safe.

Now we’re in position to discuss if the NTLM issue is, well, an issue. Mark Russinovich quickly pointed out that full control over an “attack base” workstation (or server) is required in order to compromise the domain accounts, and that is the main issue. Here’s two reasons why this isn’t a good response:

  1. Trivial: in most enterprise environments, workstations are extremely easy to compromise – SOE integrity checks are basic to non-existant, and forensic capability is limited;

  2. And another one: not necessarily one should compromise a tightly controlled domain member in order to get NTLM hash – they might as well ask nicely from a Web server etc. (I will experiment with different scenarios and report back).

So Microsoft shouldn’t brush off this one as a non-issue.

I had a great discussion with Shauna Kelly, a Microsoft Word MVP, about security of NTLM enviironments (our government in particular). She asked couple of great questions. For example – are there any bad guys who are doing this? The answer is – I don’t know, and we mustn’t assume there aren’t. And – if current encryption systems are okay? Bitlocker, and Office password protection are good; EFS – it depends: EFS soft keys are a part of user profile that’s available using NTLM, thus only smart cards are good.

I’m not overreacting. Will keep posted.

Leave a Reply

Your email address will not be published. Required fields are marked *