Then along came correct horse battery staple. Just for reference, here are a few examples from the Brute Force Calculator (these examples are based on a system running an Intel i7-2600K CPU @ 3.40GHz).
| Password Length |
Password Type |
Character Set | Total Key Space (password combinations) |
Time Required to Brute Force |
| 7 | NT MD4 | Mixed Alpha Numeric All | 6.5545E+13 | 15 days |
| 8 | NTLMv2 | Mixed Alpha Space | 6.3456E+13 | 15 days |
| 8 | NT MD4 | Mixed Alpha Numeric All | 6.16123E+15 | 4 years |
| 15 | NT MD4 | Mixed Alpha Space | 7.45436E+25 | 50 billion years |
| 15 | NTLMv2 | Mixed Alpha Space | 7.45436E+25 | 2 trillion years |
| 18 | NTLMv2 | Mixed Alpha Space | 1.10978E+31 | 357 quadrillion years |
| 19 | NTLMv2 | Mixed Alpha Space | 5.88185E+32 | 19 quintillion years |
| 20 | NTLMv2 | Mixed Alpha Space | 3.11738E+34 | 1 sextillion years |
Implementing the Changes
So, I decided to see if I could get my organization to go along with the idea of much longer but less complex passwords. There were two parts to implementation, the first was the social/political side of things, getting the right approvals internally to change the policy, explaining to users why the change was good for them and the company, and convincing the auditors that this change actually improves security.
The second part was configuring Windows Group Policy to enforce the new policy. This turned out to be not as straight forward as I expected. Using the Windows GPO Editor to set passwords minimum length stops at 14.
Some Google-fu netted me this result that provides a couple of examples for fixing Microsoft's shortsightedness for improving password security.
Joeware's ADMod tool makes it easy to modify the Default Domain Policy, here's the command to set the minimum length to 15 characters
admod -default minpwdlength::15
Then to see if it worked...
Dealing With Auditors
You know you are going to have a fun time when an IT auditor asks a question like, "Can you explain how to read this network diagram?" Another point John made during his prezi, was that no organization is ever 100% compliant with every applicable regulation or security requirement. No one. So what happens when your organization doesn't meet the specific letter of the law for a particular requirement? You implement a compensating control. After walking through a few examples of password cracking tools, such as John the Ripper and Cain/Abel, it wasn't as tough a sell as I was expecting.
Results
The auditors signed off for the changes to the password policy without too much trouble. The auditors weren't the only concern I had about changing the policy. My guess was that these changes were going to create a problem for users as well as IT having to do account unlocks all the time. After having this policy in place for several months now, one of the biggest surprises I found from going through this exercise is that account lockouts are currently at an all time low across the entire company. That is what you call a Win-Win!
No comments:
Post a Comment