Are weak passwords really that risky?
I have been focusing on Windows security for the past few years, and have trained, consulted, and developed solutions for both administrators and security auditors in that time period. As I come into contact with all groups that deal with Windows security, the number one problem that I see in almost every environment is password control. Either passwords are left blank or they are so weak they might as well be blank. With the new push for higher security compliance mandated by regulations, the problem is becoming smaller, but it's not solved completely. In this article we will discuss some of the problems and solutions that all companies can implement to reduce the risk that weak passwords invite into your organization.
Problem stems from blank passwords
I have to expose the reality of the weak password problem we are faced with by starting at the operating system level. Up until Windows Server 2003, the default Administrator password, and all subsequent new user accounts, could be created with a blank password. It does not take a Ph.D. in computer security to realize that this is a horrible configuration and can have horrifying consequences.
Other problems arise in that most companies don't want to put end users (employees) in circumstances where they must deal with complex passwords. Historically, passwords becoming more complex for end users are directly proportionate to calls to the help desk for reminders on passwords.
I blame administrators and managers for not solving this problem. If administrators go to their managers and then those managers go to executives with the risks and proven attacks on weak passwords, most companies would immediately implement stronger password policies. Most administrators and managers that I know are aware of these issues, but they just don't feel they will have much leverage when they present the problem.
Why? First off, they feel users in their organization will complain too much about the passwords being too long or complex. Secondly, their higher-ups won't think that it is a "real" problem for their company, so they figure "Why bother?" Finally, they might just think that their company is too small to worry about such a problem.
Solutions for weak passwords
The solutions exist, but they require more than what the default options offer. If your company has configured a password policy that requires a seven- character limit, but does not require any complexity in the password, your solution is not much better than a blank password. The tools that "crack" passwords can decrypt these types in minutes.
If your company recognizes that the default Windows password approach is a problem and has implemented a complex password policy, you have done a great job of stepping up from weak passwords. But it isn't enough. There are tools like Rainbow Crack from Zhu Shuanglai that can use tables to break passwords up to 14 characters, improving password vulnerability in just days.
Ideally, you need to implement a password policy that requires a minimum password length of more than 20 characters. Before you choke on your coffee, let me quickly explain how this will be successful. First, start to use passphrases like "It is a dry heat in AZ."
This is a 23-character, complex password, or passphrase, but it allows the user to easily remember it and makes it more difficult for outsiders to crack. Second, teach your users the concepts of passphrases, which takes no more effort than distributing an inner office memo. Third, get a solution that can change all administrator and service account passwords centrally. Administrator and service account passwords are rarely changed; some have not been changed in over five years! (If you don't believe me, ask your admins when the last time they changed the service account passwords.) An ideal solution for this is Desktop Standard Corp.'s PolicyMaker, which relies on Group Policy to control the changes.
Weak passwords are an easy target for most crack tools. Therefore, you need to take every precaution to protect your assets by enforcing strong passwords. If a password is not strong enough, there are tools that can easily exploit that. By using passphrases that are complex, your weak password issues will be a thing of the past.
10 tips in 10 minutes: Windows IT management
Tip 1: The long-range plan for 64-bit hardware
Tip 2: A Window into interoperability
Tip 3: Third-party software: Do you need it?
Tip 4: Buy 64-bit now; you won't regret it
Tip 5: Maintaining a secure Active Directory network
Tip 6: Firewalls can help or hurt, so plan carefully
Tip 7: Weak passwords can make your company vulnerable
Tip 8: Keys to finalizing your Active Directory migration
Tip 9: Network safety relies on reaction time to Patch Tuesday
Tip 10: Make friends with your security auditors
Derek Melber, MCSE, MVP, and CISM, is the Director of Compliance Solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Derek at firstname.lastname@example.org.
This was first published in September 2005