Windows Passwords: Windows Passwords: Everything You Need Everything You Need To KnowTo Know

Jesper M. JohanssonJesper M. JohanssonEnterprise Security ArchitectEnterprise Security ArchitectSecurity Business and Technology UnitSecurity Business and Technology UnitMicrosoft CorporationMicrosoft Corporationjesperjo@microsoft.comjesperjo@microsoft.com

OverviewOverview

How passwords are storedHow passwords are stored

How passwords are usedHow passwords are used

How passwords are attackedHow passwords are attacked

Password best practicesPassword best practices

How Windows Stores How Windows Stores PasswordsPasswords

In the beginningIn the beginning……

Password RepresentationsPassword Representations

LM LM ““hasheshashes””Old technology used on LAN ManagerOld technology used on LAN Manager

NT hashesNT hashesA.k.a., Unicode password or MD4 hashA.k.a., Unicode password or MD4 hash

Used for authentication on more recent Used for authentication on more recent Windows systemsWindows systems

Cached credentialsCached credentialsDerivation of NT hashDerivation of NT hash

Stored User Names and PasswordsStored User Names and PasswordsCalling application decides on Calling application decides on representationrepresentation

LM LM ““HashHash”” GenerationGeneration

Padded with NULL to 14 charactersPadded with NULL to 14 characters

Converted to upper caseConverted to upper case

Separated into two 7 character stringsSeparated into two 7 character strings

KeyKey

ConstantConstant

Seattle1Seattle1 SEATTLESEATTLE 1******1******== ++

LM HashLM Hash

KeyKey

ConstantConstant

ConcatenateConcatenate

DESDES DESDES

LM LM ““HashHash”” ConsiderationsConsiderations

ItIt’’s not a hashs not a hash

Limited character setLimited character set

Common alphanumeric set onlyCommon alphanumeric set only

Case insensitiveCase insensitive

142 symbols142 symbols

Padded to exactly 14 charactersPadded to exactly 14 characters

Actually two sevenActually two seven--character passwordscharacter passwords

Maximum number of passwords Maximum number of passwords ≈≈6.8*106.8*101212

UnsaltedUnsalted……

SaltingSalting

Prevents deriving Prevents deriving passwords from passwords from password filepassword file

Stored Stored representation representation differsdiffers

Side effect: Side effect: defeats predefeats pre--computed hash computed hash attacksattacksAlice:root:b4ef21:3ba4303ce24a83fe0317608de02bf38d

Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac

Cecil:root:209be1:a483b303c23af34761de02be038fde08

Same Password

NT Hash GenerationNT Hash Generation

Hash the passwordHash the password

Store itStore it

unicodeunicodePwdPwd

Seattle1Seattle1 MD4MD4

NT Hash ConsiderationsNT Hash Considerations

Case preservingCase preserving

65,535 symbols65,535 symbols

Maximum length = 127 charactersMaximum length = 127 characters

Number of Number of ≤≤1414--character passwords, character passwords, same char set as LM hash same char set as LM hash ≈≈ 4.6*104.6*102525

Number of Number of ≤≤1414--character password character password (full char set) (full char set) ≈≈ 2.7*102.7*106767

Number of 127Number of 127--character passwords character passwords ≈≈4.9*104.9*10611611

UnsaltedUnsalted

Cached Credentials GenerationCached Credentials Generation

Stored at logonStored at logon

Managed by LSAManaged by LSA

Hash of a hashHash of a hashUnicodeUnicode

PwdPwd

MD4MD4

UsernameUsername

Concatenate

Cached Creds.

Stored User Names And PasswordsStored User Names And Passwords

Credential ManagerCredential Manager

Stores specific passwordStores specific password--based based credentials locallycredentials locally

Applications can leverage for Applications can leverage for password storagepassword storage

Uses DPAPI for storageUses DPAPI for storage

How Passwords Are How Passwords Are UsedUsedAuthenticationAuthentication

Authentication (Authentication (authnauthn))

WinlogonWinlogon passes the passes the authnauthn information information to LSASSto LSASS

LSASS determines the LSASS determines the authnauthn packagepackage

Local or remote login? If remoteLocal or remote login? If remote

KerberosKerberos

MSV1_0MSV1_0

NTLMv2, NTLM, LMNTLMv2, NTLM, LM

The chosen package generates The chosen package generates authnauthn datadata

NTLM And LM Authentication On NTLM And LM Authentication On The WireThe Wire

Authn_RequestAuthn_Request

LM Response LM Response –– DES(LM Hash, nonce)DES(LM Hash, nonce)

Server_ChallengeServer_Challenge –– noncenonce

Authn_ResultAuthn_Result

ClientClient ServerServerNTLM Response NTLM Response –– DES(UnicodeDES(Unicode pwdpwd, nonce), nonce)

NTLMv2 Authentication NTLMv2 Authentication On The WireOn The Wire

Authn_RequestAuthn_Request

Server_ChallengeServer_Challenge –– noncenoncess

Authn_ResultAuthn_Result

ClientClient ServerServer

LM Response LM Response –– DUMMYDUMMY

NTLM v2 Response NTLM v2 Response ––ƒƒ(Unicode (Unicode pwdpwd, , noncenoncess, , noncenoncecc))

LMCompatibilityLevelLMCompatibilityLevel

Level Level SendsSends AcceptsAccepts Prohibits SendingProhibits Sending

00** LM, NTLM, LM, NTLM, LM, NTLM, NTLMv2LM, NTLM, NTLMv2

LM, NTLM, NTLMv2LM, NTLM, NTLMv2

LM, NTLM, NTLMv2LM, NTLM, NTLMv2

LM, NTLM, NTLMv2LM, NTLM, NTLMv2

NTLMv2, Session securityNTLMv2, Session security

11 LM, NTLM, Session LM, NTLM, Session securitysecurity

NTLMv2NTLMv2

22** NTLM, Session securityNTLM, Session security LM and NTLMv2LM and NTLMv2

33 NTLMv2, Session NTLMv2, Session securitysecurity

LM and NTLMLM and NTLM

Level Level SendsSends AcceptsAccepts Prohibits AcceptingProhibits Accepting

44 NTLMv2, Session NTLMv2, Session securitysecurity

NTLM, NTLMv2NTLM, NTLMv2

NTLMv2NTLMv2

LMLM

55 NTLMv2, Session NTLMv2, Session securitysecurity

LM and NTLMLM and NTLM

ClientClient--side impactside impact

ServerServer--side impactside impact

** Default on some OSDefault on some OS

Kerberos AuthenticationKerberos Authentication

Authenticates access to domain Authenticates access to domain resources by domain membersresources by domain members

Uses different operations than NTLMUses different operations than NTLM

Sensitive data is better protected from Sensitive data is better protected from eavesdroppingeavesdropping

RFC compliant (yes, it is!)RFC compliant (yes, it is!)

Uses NT hashUses NT hash

Well documentedWell documented

How Passwords Are How Passwords Are AttackedAttacked

Key PointKey Point

Bad passwords get broken, even when Bad passwords get broken, even when using good storage and authentication using good storage and authentication methods! methods!

SolutionsSolutions

1.1. Use better passwordsUse better passwords

2.2. DonDon’’t let bad guys get the hashest let bad guys get the hashes

Four Types of AttackFour Types of Attack

Passive onlinePassive online

Active onlineActive online

Offline AttacksOffline Attacks

NonNon--electronic attackselectronic attacks

Passive Online Attacks Passive Online Attacks Wire SniffingWire Sniffing

Access and record raw network trafficAccess and record raw network traffic

Wait until Wait until authnauthn sequencesequence

Brute force credentialsBrute force credentials

ConsiderationsConsiderations

Relatively hard to perpetrateRelatively hard to perpetrate

Usually extremely computationally Usually extremely computationally complexcomplex

Tools widely availableTools widely available

Passive Online Attacks Passive Online Attacks ManMan--inin--thethe--Middle and Replay AttacksMiddle and Replay Attacks

Somehow get access to communications Somehow get access to communications channelchannel

Wait until Wait until authnauthn sequencesequence

Proxy Proxy authnauthn--traffictraffic

No need to bruteNo need to brute--forceforce

ConsiderationsConsiderations

Relatively hard to perpetrateRelatively hard to perpetrate

Must be trusted by one or both sidesMust be trusted by one or both sides

Some tools widely availableSome tools widely available

Can sometimes be broken by invalidating trafficCan sometimes be broken by invalidating traffic

SMB Reflection AttackSMB Reflection Attack

1. Hey, I want to connect1. Hey, I want to connect

2. What a coincidence,2. What a coincidence,so do I.so do I.

3. OK, here is3. OK, here isa challengea challenge

4. Thanks! Here4. Thanks! Here’’s your s your challenge, right challenge, right

back at youback at you

5. All right, here5. All right, here’’s my responses my responseto your (my) challenge.to your (my) challenge.

6. That6. That’’s so nice, heres so nice, here’’ssyour response back to youyour response back to you

Cracking v. GuessingCracking v. Guessing

Guessing from the logon promptGuessing from the logon prompt

Very slowVery slow

Easy to detectEasy to detect

Core problem: bad passwordsCore problem: bad passwords

Cracking presumes attacker has hashesCracking presumes attacker has hashes

Hashes may be world readableHashes may be world readable

If not, system has already been hackedIf not, system has already been hacked

Very fastVery fast

Core problem: bad guys with access to Core problem: bad guys with access to hasheshashes

Active Online Attacks Active Online Attacks Password guessingPassword guessing

Try different passwords until one Try different passwords until one worksworks

Succeeds withSucceeds with……Bad passwordsBad passwords

Open authentication pointsOpen authentication points

ConsiderationsConsiderationsShould take a long timeShould take a long time

Requires huge amounts of network Requires huge amounts of network bandwidthbandwidth

Easily detectedEasily detected

Core problem: Bad passwordsCore problem: Bad passwords

Offline AttacksOffline Attacks

Attacker has password databaseAttacker has password database

How? Hard on Windows, easier on UnixHow? Hard on Windows, easier on Unix

Can attack at leisureCan attack at leisure

Password representations must be Password representations must be cryptographically securecryptographically secure

ConsiderationsConsiderations

MooreMoore’’s laws law

Attacks against cached credentials about Attacks against cached credentials about 3x slower3x slower

Offline Attacks Offline Attacks Dictionary AttackDictionary Attack

Try different passwords from a listTry different passwords from a list

Succeeds only with poor passwordsSucceeds only with poor passwords

ConsiderationsConsiderations

Very fastVery fast

Core problem: Bad passwordsCore problem: Bad passwords

Offline Attacks Offline Attacks Hybrid AttackHybrid Attack

Start with DictionaryStart with Dictionary

Insert entropyInsert entropy

Append a symbolAppend a symbol

Append a numberAppend a number

……ConsiderationsConsiderations

Relatively fastRelatively fast

Succeeds when entropy is poorly usedSucceeds when entropy is poorly used

Offline Attacks Offline Attacks BruteBrute--force Attackforce Attack

Try all possible passwordsTry all possible passwordsMore commonly, a subset thereofMore commonly, a subset thereof

Usually implemented with progressive Usually implemented with progressive complexitycomplexity

Typically, LM Typically, LM ““hashhash”” is attacked is attacked firstfirst

ConsiderationsConsiderationsVery slowVery slow

All passwords will eventually be foundAll passwords will eventually be found

Attack against NT hash is MUCH harder Attack against NT hash is MUCH harder than LM hashthan LM hash

Offline Attacks Offline Attacks PrePre--computed Hashescomputed Hashes

Generate all possible hashes a prioriGenerate all possible hashes a priori

Compare to database valuesCompare to database values

Storing hashes requires huge storageStoring hashes requires huge storage

LM LM ““HashesHashes””: 310 Terabytes: 310 Terabytes

NT Hashes < 15 chars: 5,652,897,009 NT Hashes < 15 chars: 5,652,897,009 exabytesexabytes

Solution: Use a timeSolution: Use a time--space tradeoffspace tradeoff

Succeeds due to lack of saltSucceeds due to lack of salt

Offline Attacks Offline Attacks PrePre--computed Hashes computed Hashes –– ConsiderationsConsiderations

Takes significant effort up frontTakes significant effort up front

LM Hashes much more vulnerable due to LM Hashes much more vulnerable due to smaller key space and shorter lengthsmaller key space and shorter length

Web services availableWeb services available

SETISETI--style efforts to generate tablesstyle efforts to generate tables

Do not work against cached credentialsDo not work against cached credentials

MitigationsMitigations

Use good passwordsUse good passwords

Remove LM HashesRemove LM Hashes

PassPass--TheThe--Hash AttacksHash Attacks

Tool computes response from nonce Tool computes response from nonce based on arbitrary hashbased on arbitrary hash

Tools are rare but are availableTools are rare but are available

Instant attackInstant attack

Does not work with cached credentialsDoes not work with cached credentials

LM Response LM Response –– DES(LM Hash, nonce)DES(LM Hash, nonce)

NTLM Response NTLM Response –– DES(UnicodeDES(Unicode pwdpwd, nonce), nonce)

Offline Dictionary Offline Dictionary And Brute Force And Brute Force AttackAttack

NonNon--Technical AttacksTechnical Attacks

Shoulder surfingShoulder surfing

Watching someone type their passwordWatching someone type their password

Common and successfulCommon and successful

Mouthing password while typingMouthing password while typing

Keyboard sniffingKeyboard sniffing

Hardware is cheap and hard to detectHardware is cheap and hard to detect

Software is cheap and hard to detectSoftware is cheap and hard to detect

Both can be controlled remotelyBoth can be controlled remotely

Social engineeringSocial engineering……

Password Cracking at Layer 8Password Cracking at Layer 8

http://zdnet.com.com/2100http://zdnet.com.com/2100--1105_21105_2--5195282.html5195282.htmlhttp://http://story.news.yahoo.com/news?tmplstory.news.yahoo.com/news?tmpl==story&cidstory&cid=528&e=1&=528&e=1&u=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_securityu=/ap/20050317/ap_on_go_ca_st_pe/irs_computer_security

Great Password, Weak ImplementationGreat Password, Weak Implementation

Password Best PracticesPassword Best Practices

Pass Phrases v. PasswordsPass Phrases v. Passwords

Longer Is Better!Longer Is Better!

TechnologyTechnology--Based MitigationBased Mitigation

Disable LM hash storageDisable LM hash storageHKLM\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash

Passwords > 14 characters

Certain Unicode characters

Clustering, Windows CE, RTC, ??? brokenClustering, Windows CE, RTC, ??? broken

Set Set NtlmMinClientSecNtlmMinClientSec & 0x80010& 0x80010

Deploy password policyDeploy password policy

Minimum lengthMinimum length

ComplexityComplexity

ExpirationExpiration

ReuseReuse

Password FilterPassword Filter

if(strInList(szPwd,aBadWords))bComplex = FALSE;

if(cchPassword > 9){for(i = 0; i < cchPassword ; i++){

if(szPwd[i] & C1_DIGIT) { dwNum = 1; continue; }if(szPwd[i] & C1_UPPER) { dwUpper = 1; continue; }if(szPwd[i] & C1_LOWER) { dwLower = 1; continue; }if(szPwd[i] & C1_SYMBOL) { dwSym = 1; continue}if(isUnicode(szPwd[i])) {dwUnicode = 1; continue}

}

if(bUserIsAdmin){ //Admins need better passwords than usersif ((dwNum + dwUpper + dwLower + dwSym + dwUnicode == 5) && cchPassword>14)

bComplex = TRUE;} else { //User is not an admin, use lower requirements

if(dwNum + dwUpper + dwLower + dwSym + dwUnicode) >= 4)bComplex = TRUE;

}

TechnologyTechnology--Based MitigationBased MitigationMultiMulti--factor authenticationfactor authentication

Why use passwords at all?Why use passwords at all?

Smart cardsSmart cardsTwoTwo--factor authenticationfactor authentication

Very difficult to thwartVery difficult to thwart

High cost of initial deploymentHigh cost of initial deployment

BiometricBiometricTwoTwo-- or threeor three--factor authenticationfactor authentication

Usually defeated with nonUsually defeated with non--technical technical attacksattacks

Very expensiveVery expensive

FailureFailure--proneprone

Fun With BiometricsFun With Biometrics

Detecting Attacks Detecting Attacks -- Account Account LockoutLockout

SummarySummary

How passwords are storedHow passwords are stored

How passwords are usedHow passwords are used

How passwords are attackedHow passwords are attacked

Password best practicesPassword best practices

Passwords Article SeriesPasswords Article Series

http://www.microsoft.com/http://www.microsoft.com/technet/securittechnet/security/secnews/newsletter.htmy/secnews/newsletter.htm

For more informationFor more information

Jesper and Steve Jesper and Steve finally wrote a book!finally wrote a book!

Order online:Order online:http://www.awprofessional.chttp://www.awprofessional.com/title/0321336437om/title/0321336437

Use promo codeUse promo codeJJSR6437JJSR6437

jesperjo@microsoft.comjesperjo@microsoft.com

Jesper M. JohanssonJesper M. Johanssonjesperjo@microsoft.comjesperjo@microsoft.com

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.