Securing your passwords against Rainbow Table Attacks
By Bhushan Shah, NII Consulting
In the previous article we looked at the Rainbow Tables and how it can crack windows passwords in a matter of seconds. In this article we will look at different ways to add complexity to the passwords and protocols to secure your system so that you can survive the rainbow table attack. (Or at least try to)
There are a few things that can be done to hinder the Rainbow Table attack.
- Select and configure strong network authentication protocols.
- Select and configure strong remote access protocols.
- Protect password databases.
- Have a strong password policy.
- Audit you passwords.
Select and configure strong network authentication protocols:-
Windows passwords can be secured by using the Kerberos protocol. This protocol cannot be implemented in all cases so one should use NTLM version2 wherever it’s not possible to use the Kerberos protocol.
In a Windows 2000/2003 server domain Kerberos protocol is the preferred choice of protocol for Windows XP, Win2K and Windows 2003 member computers. LM protocol can be used when a non-member tries to connect to the server. Hence, one needs to reconfigure the system using LM protocol to use NTLM v2. (NTLMv2 is a lot harder to crack than LM). To make sure that NTLMv2 is in place you need to make the following changes.
Kerberos – is a computer network authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. Kerberos prevents eavesdropping or replay attacks, and ensures the integrity of the data. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the service verify each other’s identity.
- In Win2K and Windows 2003 domains, set the Group Policy Security Option “Network Security: LAN Manager Authentication Level” to Send NTLMv2 response onlyrefuse LM & NTLM. This will require clients to use NTLMv2. (This option is set by default to require at least NTLM authentication in Windows 2003 domains.)
- To set NTLMv2 for Windows NT SP4 domains, add the REG_ DWORD value “LMCompatibility” and set it to 5. The Registry value should be added at
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA
- To require NTLMv2 for Windows 95/98, install the Active Directory client and complete the Registry entry above.
- Eliminate the storage of LM hashes in the password database. This is turned on by default in Windows 2003. It can be set using the Security Option “Network Security: Do not store LAN Manager hash value on next password change.” For Win2K domains, add the NoLMHash value to the location below. This only prevents storage of LM hashes; it won’t delete existing LM hashes.
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLSA
* Users must change their password before these options will do any good.
A default user password in a Windows Server 2003 Active Directory domain has the following requirements:
- At least seven characters long
- Must contain three of the four different types of characters (upper case, lower case, numeric, special)
- Can’t include the username
- Can’t include the logon name
To defend against Rainbow Tables, you need to increase the password length to the maximum length possible. i.e. try to keep the password length between 15 – 20 characters. Your domain controllers will enforce these password restrictions for all domain user accounts.
Select and configure strong remote access protocols:-
The authentication of remote access clients is an important security concern. Authentication methods typically use an authentication protocol that is negotiated during the connection establishment process. The Windows Server 2003 family also supports unauthenticated access. Default settings are generally the least secure hence protocols like MS-CHAP version 2 or EAP(wherever possible) should be implemented.
Protect password databases:-
On NT 4.0 and post NT 4.0 systems, the SAM database includes user account information, including password hashes. These files are some of the most important as they hold all information about the user and hence should be protected the most. Try and restrict access to the registry by users.
The SAM cannot be copied when the system is active. When you backup your systems the SAM file can get copied in the backup. The SAM file can be copied now from the backup when the system is running. Hence, keep this file secure and monitor access of this file.
Windows 2003 and Win2K Domain Controllers keep the password database in the Active Directory file ndis.dit. This file too cannot be copied when the system is running but can be copied from the backups. Keep this file secure and monitor access.
Audit you password policies and administrative accounts at regular intervals.
Have a strong password policy:-
A strong password policy is one of the most important. One weak password can leave the whole network vulnerable to attacks.
Long and complex passwords are the best policy. Change the minimum length of the password from the default to 12. Make sure they use special characters in the password to make it more complex. Since the passwords and long and complex make sure they remember the passwords. The best way to make sure they remember the password is to use phrases instead of a password.
For e.g. The bo$$ needs me, I don’t n33d a bo$$!
Using such a password (sure wouldn’t impress my boss!) would make password cracking painfully difficult. And make sure you change you passwords every week (or every other week).
Audit your passwords:-
Since the best form of defense is offence, get the best password cracker from the internet and try and crack your own password. By auditing you passwords you can find if it is possible to crack you passwords and if it is how long it took.
Try running password crackers mentioned in the preceding article. Even run the rainbow table attack and see how long that takes.
* Even if you follow all of the above and have secure passwords, the latest patches, etc. you are still susceptible to cracking attacks and social engineering.
Please don’t share your passwords.
Cause remember, like someone once said:
“THERE IS NO PATCH FOR HUMAN STUPIDITY!”
Refrences:-
Forget about using 15 characters passwords with high complexity. The only fix against Rainbow Talbes attacks is to use a random salt in the hash generation process since it makes Rainbow Tables attacks totally useless. Just wonder why there is no rainbow tables set to crack UNIX/LINUX/BSD passwords.