Monday, November 2, 2009

Changing Passwords - Yes, you must

This morning I read a disturbing post by a security professional, who suggested that we don't need to change our passwords for 25 years.

His or her suggestion was based upon a belief that an attacker will not take any significant amount of time to crack your password. This simply isn't the case.

The whole notion of cryptography is based around trying to keep a secret. The practice of cryptography understands, however, that the secret can only be kept for so long. This is why we "change keys". While a password isn't directly cryptography, it does try to keep a secret. Also, sometimes an attacker will be trying to break cryptography in order to get at your password.

A good example is the Windows login password. Your password is never actually sent across the wire. In its place is a "hash" of your password. The hash is composed using a cryptographic function. Because Windows doesn't ever "change the keys", it is possible for an attacker to use tools to generate what are called "rainbow tables". A rainbow table is a pre-generated table of every possible hash that could result, given a certain set of parameters.

The parameters in question are the character set and length. For example, I could create a rainbow table set which would pre-generate the hashes for every password you could create that was up to 8 characters, and included upper and lower case letters, numbers, and special characters such as a dollar sign, period, or asterisk. It takes a long time to generate a rainbow table, but once it is completed, matching the pre-generated hash with the windows password hash that was sent across the wire can take micro-seconds to mere minutes.

The longer and more complex the password you are trying to crack (perhaps "match" would be a better word here), the longer it will take you to create your rainbow tables. Also, the larger the set of pre-generated hashes, the longer it will take the computer to search through them all to match your password.

Certainly, the longer and more complex a password is, the longer any brute-force method of cracking that password will take.

Since we can now see that there will be times when the amount of time you give an attacker to crack a password, before you change that password can be critical to security - let us all change our passwords today.

If you have any questions, please let me know. This is the place to do it - go on ... post a comment. :)

Sensei Metajunkie

No comments:

Post a Comment