Enforcing Stronger Passwords

Microsoft's password complexity filter: what's wrong with it and why you might need something better.

• By Bill Boswell
• 05/04/2004

Bill: Is there a way to change the default password complexity filter in Windows 2000 or Windows 2003? We just did a sweep of our user passwords with a password cracker and found that lots of our users had passwords that were easy to discover even though we enforce six-character strong passwords.
—An MCSE in Phoenix

Phoenix MCSE: Okay, so let’s start at the 20 yard line and talk about passwords and why password complexity is important before discussing what’s wrong with the Microsoft complexity filter.

First of all, Windows does not store a user’s password, as you probably know. It stores an MD4 (Message Digest) hash of the password (and a DES hash for backward compatibility with Windows 9x clients.) The MD4 algorithm slices and dices the password in such a way that the input cannot be derived directly from an analysis of the output.

Get Help from Bill Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

But....

The MD4 algorithm is well known, so a password cracking program simply builds a database of hashed passwords and compares those hashes, one by one, to a password hash either taken directly from Active Directory or derived from a sniff of a challenge-response authentication transaction.

(The password hash is not transmitted on the network during a challenge-response, but the challenge is available in clear text, so it’s fairly simple to derive the value of the hash based on the reply sent by the client in response to the challenge. Kerberos avoids this vulnerability by not transmitting a challenge. It transmits a timestamp encrypted with a hash derived from the user’s password hash. The attacker would have to know the precise timestamp to derive the password hash.)

Windows passwords are particularly susceptible to precompiled hash attacks because the domain controllers do not “salt” the passwords with a random number as Unix systems do.

Okay, so that makes a dictionary attack of a Windows password fairly straightforward. What about “strong” passwords, though? Most of us use the Windows password filter to force our users to select passwords that meet these criteria:

• At least once change from upper to lower case
• At least one numeral or special character
• Cannot contain the user’s logon name
• Cannot contain portions of the user’s name

Based on the complexity filter, a password of Orange7 would be acceptable as long as the user’s name isn’t John Orange. (I’ll talk about password length in just a minute.)

A password cracker would find a match for the hash of Orange7 very quickly, though. Adding a special character to the end of a word doesn’t fool the cracker. The cracker simply runs through the precompiled dictionary words and tacks a single special character onto the beginning then at the end. It then does the same for two special characters, then three.

So, you don’t get a strong password by putting complexity at the beginning or end of a password. The special characters have to go in the middle.

Also, as long as you store old-style LanMan hashes in Active Directory, the change of case in the password is useless for deterring password crackers because LanMan passwords are converted to upper case before hashing. So, although an NT password might be considered “strong” if it looked like this PaSsWoRd$, the resulting LanMan password would be PASSWORD$, a fairly simple item to crack.

You won’t get acceptable password complexity until you rid yourself of legacy LanMan password hashes, which requires purging all Win9x machines from your network or installing the DSClient patch on them and hacking the Registry on each client machine. See Microsoft Knowledge Base article 239869, "How to Enable NTLM 2 Authentication."

As far as enforcing a six-character password length, that’s not long enough of a password. Even if you force your users to put special characters in the middle of their passwords and purge LanMan password hashes, it would still not take all that long to crack a six-character password using brute force. Even if you force users to change their passwords every 30 days to foil the cracker, users simply select a base pattern and only change the special character or numeral at the end: Orange7 -> Orange8 -> Orange9 and so forth.

So, if you want to have passwords that can withstand a moderately sophisticated cracking application, you need at least eight character passwords (10 is better) with special characters in the middle of the password and no patterns when changing passwords. With all that in mind, the complexity filter in Windows just doesn’t cut it. You may want to take a look at the Password Policy Enforcer from Anixis (www.anixis.com) or some other third-party tool for enforcing more robust complexity. You should also start thinking about deploying a two-factor logon such as a smart card, smart token, or biometrics.

If you have a recommendation for a better complexity filter, or you have techniques for encouraging users to select strong passwords, pass them along to me and I’ll print them in an upcoming column.

Hope this helps.