Is it time to scrap the password?
As password protection gets more secure the actual passwords for users get weaker.
A paradox? Not so, let me explain.
A few years back the biggest problem was a password going 'over the wire' and being intercepted. This can easily been seen in telnet. Just capture a telnet session and you will see the password in plain text contained in the packet capture.
Obviously this is not very secure so the next step is to encrypt the password on the workstation and send the encrypted password to the server. This way the plain text version never left the workstation.
This was defeated in fairly short order because the level of encryption used was not very high.
The next step was to use encryption and a but this was also broken is short order thanks to the salt being included with the hash.
Currently, Kerberos does a wonderful job of making sure a password is secure. Not only is it encrypted on the client machine with a one-time hash but it never leaves the machine - only bits do - A bit like a bank asking you for five letters from your address at random locations to very its you. Kerberos also defeats a replay attack by encoding the time into the response. If the domain controller sees a client-side request with the same or an earlier time its rejected as a reply attack - this is why its vital to make sure your servers and clients all have the correct time.
So, how does this make our password weaker?
In many systems its possible to check the password complexity levels but it's getting harder to check to see if users are following a pattern, e.g. password1234, password1235, password1236 and so on because the password is NOT stored on the server and it's not possible to decrypt the hash the checking must be done on the client side machine - BUT, if the client side machine stores the password it will have weaker security than the domain controller and as it's easier to access a client side PC than a locked away domain controller the passwords should be stored on the domain controller.
BUT if the passwords are stored on the domain controller they must be decryptable or plain text otherwise certain complexity checks cannot be enforced.
This would again open up the password to packet sniffing attacks.
It seems that the password has run it's course but it's there something out there that's easy to use, doesn't require a heavy infrastructure (like RSAsalt
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox