Encyption of passwords

If someone asks

Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.

Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?
LVL 2
Nick_DAsked:
Who is Participating?
 
JGTechieCommented:
Do you ensure that authentication data such as passwords are not stored in a form that allows the authentication data to be recovered in readable or decipherable form.

Password hashing - means the password is unreversible mathematically.

The only way to crack a hash:

1. Find the hash, This would be difficult to do as you need system/administrative privileges In the windows world.
You could use an exploit such as sql injection if on the webside or some type of session-riding if you can hack or mitm kerberos (good luck) to obtain the hash.

2. Determine the type of hash - easy this is determining the type of hashing algorithm being used to "Hash the password"

3. Since password un-hashing is impossible - mathematically, the only other way to find out what a password is when you have it is to. guess a password -> use the hashing algorithm to hash the password and see if it matches the hash you obtained from the windows machine.

Do Windows servers stored these passwords in a way that can be easily cracked, what is the best way to defend against it?


1.  Yes I think so, they are stored in an easily cracked format.

check this out: http://cyberarms.wordpress.com/2012/07/15/154-billion-hashes-per-second-with-multiforcer-password-cracker/

2. The easiest way to protect against this form of attack is to use complex passwords that are at least 9 characters long and use one of the un-commonly used Ascii Symbols that are found on this website:
http://www.tedmontgomery.com/tutorial/altchrc.html


according to: http://www.mindwerks.net/online-tools/password-cracking-calculator/

it would take the multiforcer from the first link i showed that was fully working:

1 Millenia exactly to crack a password that was 9 characters and used the full 255 character ascii table.

For 8 characters using the same ascii table it would take: 4 years but of course I am paranoid and like to see a millenia.

The other way to defend against it is to set your policy at least on your administrative usernames to change every 60 days.
0
 
käµfm³d 👽Commented:
Are you storing passwords in clear-text, or some easily reversible "encryption" method (e.g. base-64 encoding--not really encryption, btw)? If yes, then this would be a no to that question.
0
 
Nick_DAuthor Commented:
We don't store any password in clear text.  If you had to give an example of a strong method for storing and encrypting passwords electronically, what would it be?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
ChrisCommented:
There are two types of encryption. Reversible and non-reversible.

With reversible encryption, provided with the relevant details it's possble to use an algorithm to decrypt the password to a readable value.

With non-reversible encryption this isn't possible. The password will have been originally encrypted using a one-way algorithm that is impossible to reverse (md5, sha1 etc). The only way to find the value of a password encrypted this way is to run words through the same algorithm, cross referencing the result with the encrypted password until you find one that matches.

In order to make passwords more secure a salt is often used when encrypting the password. A salt is essentially a string, unknown to all but the software. This often works by encrypting the password then adding the salt to the resulting hash and then encrypting the combination. This way it's much harder to launch a successful brute force attack on the password hash as even after successfully attacking the initial hash they would be left with a second hash (and salt) which they would also need to brute force.
0
 
EirmanChief Operations ManagerCommented:
The biggest risks to password security are from .....
> Keystroke loggers
> Humans writing down passwords
> Humans using simple passwords
> Shoulder Surfers

If you are really concerned about data security when the server is off, just encrypt everything with a free program like truecrypt (www.truecrypt.org) or a easier to use one such as bestcrypt (www.jetico.com)
0
 
McKnifeCommented:
Hi.
To make this question answerable, you should add
-what passwords you are talking about: local user passwords/domain user passwords/passwords stored inside the browser (what browser)/passwords stored inside other applications/cached passwords/...
-who you are protecting against: local admins working directly at your server (physical access)/weak rdp-users (no physical access)
-what OS' are involved
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Windows stores passwords as either a hash or a pair of hashes, depending on if AD is active and the security level set. Pair of hashes is the default.

The lowest security of the two (LANMAN) limits to 14 character passwords and is there for backwards compatibility purposes.

have a look here:
http://www.infosecwriters.com/hhworld/hh9/lmcrack.htm
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.