Security Tip: Password cracking reminder
Passwords are being cracked around the world as we speak.
In the old days, we measured password strength by the time it took for attackers to crack the passwords from the hashes, or other encoded/encrypted formats that they would be retrieved in. The longer your passwords could withstand brute force cracking attacks, the stronger we considered them. From this tenet, came the wisdom that passwords that used mixed case, special characters and that were longer were stronger than shorter less special-character inclusive ones. Attackers reinforced this tenet by building tools for performing dictionary scanning tools that would quickly crack passwords based on dictionary words, even with replacements like 3 for e, or 1 for I, etc. and they've only gotten better. Attackers have made a quantum leap in password cracking in the last few years. They've developed "Rainbow" type tools that do the heavy processor and math workload up front and then use database-type storage and retrieval to search massive archives of pre-computed password hashes to retrieve the known passwords.
This change in tactic has largely led to huge increases in password cracking capabilities. Passwords that used to take days to weeks to crack can now be cracked in seconds if the attacker has suitable database capabilities, storage and access to the pre-computed cracked hashes. Attackers have even taken this a step further and created huge networks of distributed, parallel cracking systems and applications for folks to "contribute" CPU cycles to either cracking or pre-computing the hashes for later use. Right now, attackers use their machines, Bot-nets and all kinds of other ways to get massive amounts of pre-computed hashes to continually reduce the effectiveness of even the strongest of passwords.
As security practitioners, we must remain aware. In most cases, we must assume that except in extremely rare circumstances, if an attacker gets the password file or hashes, they can/will/have broken the passwords. This is a huge change in mindset for many (not all, but many) security folks. Time is no longer on our side. In many cases, it is faster to crack the password than to change it across an enterprise, especially if politics, change controls and cross-platforms are involved. Quite simply, we must checkmate the attacker before they get the password hashes. This involves utilizing continual assessment and mitigations on all systems, application risk reduction and preventing the holes that attackers exploit to get at the hashes.
http://en.wikipedia.org/wiki/Password_cracking
MicroSolved, Inc.
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
