Open Sesame
When you log on to your computer, Windows converts the password you type into a hash, which, is just a very long number.
For example, the MD5 hash of ‘Sarahandjack99’ as a decimal number starts with:
6426944284693920619….
I’ve chopped off some digits in this example to keep things simple. The actual number has about twice the digits I’ve shown.
To validate that you’ve entered the correct password, Windows only has to compare the hash of your entered password with the hash it has stored for your account.
In theory, it’s difficult to reverse-engineer the password from the hash, due to the scrambling nature of the hash process. For example, the hash, ‘Sarahandjack98’ is completely different, even though we only changed one digit of the password. It’s:
5834563607184274669….
I said, in theory, but, as Yogi Berra once said,
“In theory, there is no difference between theory and practice. But in practice, there is.”
Windows accounts and hashes
As you probably know, there are essentially two kinds of accounts in Windows: Local accounts are specific to a machine, and domain accounts are valid within a particular domain.
Windows translates the password you type in for either a local account or a domain account into a hash. It’s the hash that gets used from that point on. Windows uses two different types of hashes, depending on the account type.
The hash type for local accounts is called an NTLM hash and the hash type for domain accounts is called an MSCacheV2 hash.
The latter hashes are more difficult to ‘brute force’ attack but they can still be attacked successfully.
Logging on when not connected to your domain
So where would an attacker get these precious hashes? Well, Windows uses these hashes to validate your identity. Suppose you take your laptop home and then log on using your domain credentials. You’re probably not connected to the corporate network but Windows uses a cached copy of your domain account hash to validate you and let you log on, even though the domain controller can’t be reached.
This information is stored in the laptop’s registry. It’s encrypted, but the algorithm has been reverse-engineered, so it’s easy for an attacker to extract the original hash.
Every Windows device (not just laptops) on your network normally has up to ten of these cached domain hashes, which represent the last ten different domain accounts that were used to connect to that device. At least one of these hashes is likely to be associated with the current device user. Others might be associated with very privileged users, such as sysadmins.
Local accounts are much the same, except here the hashes can be retrieved whether or not the account has ever been used on that machine. And recall that local accounts use the weaker NTLM hash. Again, this information is permanently recorded in the computer’s registry, so any attacker that can read the registry can recover this information and decrypt it.
And of course, any lost or stolen laptop that isn’t otherwise protected can have the disk scanned and the hashes extracted. [We’ll talk about protective measures in the next post on this topic]
What can an attacker do with a hash?
Attackers exploit the incredible power of modern graphics cards (GPUs) to crack hashes by brute force.
A modern GPU is so fast, that it can try over 40,000 MILLION combinations of passwords every SECOND. A cluster of eight modern GPUs has been benchmarked at an aggregate speed of over 330,000 million NTLM hashes/second.
As the name suggests, brute force attacks are pretty simple. Just guess a password and compute the hash and see if the hash matches the one you’ve got.
Domain account hashes are a bit more challenging. That same cluster can only manage around 2.5 million of these a second.
Even so, this still leaves you vulnerable to brute force attacks.
Suppose you have a local machine account with an 8 character password. It’s some combination of upper and lower case letters and numbers. How many combinations does an attacker have to guess?
Well, there are 52 letters and 10 numbers so that’s 62 characters you can choose from for each position in the password. So the combinations available are: 62 X 62 X 62 X 62 X 62 X 62 X 62 X 62
That comes to 218,340,105,584,896 which looks like a reassuringly large number. Now recall that we can try 330,000,000,000 combinations per second. So if we divide that large number by 330,000 million we get just over 11 minutes.
Suppose we had a domain account hash. Then we divide our first large number by 2,500,000 instead.
This will take around three years to crack.
This sounds reassuring, and adding more characters to the password rapidly increases this time. A nine-character password would take around 170 years to crack, for example.
But…
People don’t generally choose random passwords. Think about your passwords – the ones you’ve set up for various accounts on the internet and at work.
If you use an upper-case letter, is it the first letter of the password? I’m betting it probably is.
If you use any numbers or punctuation symbols, are they at the end of the password?. I’m betting they probably are. And I’m betting you chose them from a small number of choices, like the easy-to-type punctuation symbols on your numeric keypad.
Making a few assumptions like this, an attacker can probably crack a local account hash in only a couple of seconds, and a domain account hash in a couple of days.
Over the rainbow
As if this wasn’t bad enough, attackers also have another weapon; the so-called ‘rainbow table’. A rainbow table isn’t much use against domain accounts because the domain account hash is a function of both the username and password. But unfortunately, local account hashes are only derived from the user’s password. This means that it is possible to build enormous tables with every combination of passwords up to, say, 8 characters, and then simply match the hash you have with the entry in the table. Now you have the password. Rainbow tables can be freely downloaded from the internet.
In some cases the hashes of common passwords are so well known, you can just enter the hash into Google and find the password!
Bad advice, and more bad advice
I read the other day that you should have 15 character passwords. Now that’s all well and good in theory. After all:
aF6%9$t-PvWB463
should be a tough challenge to brute-force. There’s just one problem. Or actually, two.
Firstly, how will you remember that password?. Unless you have superhuman powers, that’s going to be quite a challenge. Try and memorize the above password and come back in half an hour and see if you can still recall it.
So the first problem is that in order to use a strong password like this you’ll probably end up writing it down. Which of course leaves you vulnerable to someone obtaining it by nicking your wallet, or purse.
And secondly, having chosen a strong password, the temptation to re-use it for multiple accounts is strong. So now if one of those accounts gets compromised I can access other accounts you control. Recall that an attacker might compromise an account by other techniques than just brute-forcing a hash. They can use exploits to attack a website or even ‘social engineering’ where they pretend to be you, to gain access.
Now some people have suggested that you use a ‘pass phrase’ instead. Then you can have a long password that is actually a phrase. (There’s an XKCD cartoon about this.)
This is definitely not a bad idea, at least, in theory. There are approximately 20,000 words in the English language in common use. The average length of a word is 5 characters. If you, therefore, pick a phrase of, say, four words, which should certainly exceed 15 characters, then the combinations available to you are:
20,000 X 20,000 X 20,000 X 20,000
Or:
160,000,000,000,000,000
How much longer would it take to crack? Well, as a domain account, it’ll take around 2,000 years. As a local account hash, it’ll take around 5 days. Not so good. Furthermore, we’re being a bit optimistic here – will you really choose randomly from 20,000 words? Or will you choose common words?
If you choose from common words, you’re probably going to end up with a hash that can be cracked in 3 seconds for a local account and just under 5 days for a domain account.
Now I know you’re thinking. I’m using people’s names in there and stuff. That makes it harder, I mean, there are lots of names. Of course, there are but the bad guys probably know more about you than you think. We all share far too much personal information these days via Facebook, LinkedIn and so on, and it’s easy for an attacker to do a bit of ‘social engineering’ and establish some things about you like your family’s names and your pet’s name, and your friends and so forth. Obviously when choosing a ‘dictionary’ to attack your password, including these names seems like a pretty good bet.
All of this sounds depressing. Fortunately, there are some steps you can take to protect yourself. We’ll talk about these in the next post on this topic. Stay tuned!
