Cracking Technique Highlights Password Concerns

An improvement to a password-cracking technique published online this week has raised concerns that Microsoft (Nasdaq: MSFT) Windows passwords and the computer and network access they protect might be at risk.

The improved technique, outlined by Swiss researcher Philippe Oechslin, involves a new way of precalculating data in what is known as a cryptanalytic time-memory trade-off -– a password-cracking method that involves using precalculated data stored in memory.

Using large look-up tables to reduce the number of calculations needed during the process, Oechslin claims the technique can crack nearly all alphanumeric passwords in less than 14 seconds, whereas the best prior method took more than a minute and a half.

However, security experts downplayed the severity of the danger, adding that public disclosure of the technique before notification to Microsoft makes the issue seem like a publicity ploy.

"The basic problem here is not an unknown one," Aberdeen Group research director Eric Hemmendinger told TechNewsWorld. "If you want to characterize this as a vulnerability, these folks have gone public instead of going to Microsoft; you've got to wonder whether visibility was a rather important objective for them."

Improved Protection Pilloried

The technique outlined by Oechslin -– who worked in conjunction with a Swiss security organization known as Lasec -– highlights a weakness in Windows, which uses the same password-encoding table for the same passwords, instead of using a randomized password-encoding algorithm.

Despite Microsoft's efforts to address password problems associated with an old scheme known as LANMan, the new NTHash password scheme is still vulnerable to the cracking technique because it does not use random elements for different Windows machines.

"The problem is, if we have the same password [on different machines], it will encode the same way," Forrester senior analyst Laura Koetzle told TechNewsWorld. "That means a password cracker can create a humongous password look-up table and match those up to anyone."

Cracking Time Cut

Oechslin reports the process involves a new way of precalculating data that reduces the number of calculations needed during the time-memory trade-off cracking procedure.

Using 1.4 GB of data, the technique will crack 99.9 percent of all alphanumeric passwords in 13.6 seconds, according to Oechslin. Without the new precalculating method, the cracking technique would take nearly two minutes.

Koetzle, who pointed out that the issue is not an entirely new and different problem, downplayed the reduced time it would take to discover passwords.

Hemmendinger agreed, saying, "If somebody's really determined to find out what's on that machine, does it matter that it takes 13 seconds rather than a minute and a half?"

Human Element

Koetzle also said that while the technique illustrates some weakness in the Windows password-protection scheme, there are several less technical and often more effective means of gaining access to passwords.

"On one hand, it's architecturally inelegant," she said of the Windows approach to passwords. "But password cracking has always been easy to do. You [telephone the company] and say you are so-and-so and get [the password]. There are so many easy ways to get passwords out of people."

Aberdeen's Hemmendinger said password security is "fundamentally a human factor issue," adding that password security remains a low priority.

"There's no reason to believe people have become more disciplined now than they were two or three years ago," he said.

Password Protection

Security experts often offer the same advice to users: Do not keep passwords written down near machines; do not pick obvious words or numbers, such as names or birthdates; and use a combination of letters and numbers.

While the latest cracking technique can uncover alphanumeric combinations, the addition of nonalphanumeric characters would provide more protection by requiring a much larger look-up table, according to Koetzle.

She added that usernames and passwords are not strong enough security for high-priority access and data. Two-factor authentication schemes, biometric authentication and digital signatures all can provide additional layers of security.

"Companies have made some progress lately," she said. "Most of them understand that usernames and passwords are not fine for protecting the crown jewels."