While there are various authentication mechanisms available, most people still log on with a user name and password – and most people assume that the longer a password is, the more difficult it will be to break. But it ain’t necessarily so!
Windows 2000, XP, Server 2003 and Vista store user passwords either as a NTLM hash and/or as a LAN Manager (LM) hash. This is necessary in order to achieve backward compatibility with Windows 9x clients which authenticate via LM rather than Kerberos. By default, Windows Vista only saves passwords as an NTLM hash (if you want Vista to save them as a LM hash too, you need to turn on that option), but Windows 2000, XP and Server 2003 all save as both NTML and LM hashes – and LM hashes can be easily cracked.
To calculate a LM hash, the operating system takes a password and:
1. Converts all lowercase characters uppercase;
2. Pads the password with NULL characters until it is exactly 14 characters long;
3. Splits the password into two 7 character chunks;
4. Uses each chunk separately as a DES key to encrypt a specific string; and
5. Concatenates the two cipher texts into a 128-bit string and stores the result.
Consequently, each chunk of a password can be attacked separately and the entire lowercase character set can be ignored. Both of these factors substantially reduce the number of possible character combinations (Wikipedia explain the math) and enable cracker tools such as Ophcrack to break LM hashes extremely quickly.
Additionally, once one chunk of a password has been decoded, an attacker may well be able to guess the second chunk. For example, let’s say that a chap called Gilbert Grape had chosen the password GilbertGrape (not very imaginative, but then the same can be said for the majority of passwords!). This password can actually be broken far more speedily than a strong 7 letter password as, once a cracking tool has decoded the second chunk as being Grape, the attacker will probably be able to guess that the first chunk is Gilbert. Accordingly, the cracking tool has only had to discover 5 of the 12 characters in the password in order for it to be broken.
While many businesses use policy to enforce both password complexity and expiry requirements, this is not necessarily the best option. Why? Simply because users find it extremely difficult to create a password that is both complex and memorable on a monthly basis. Should you enforce such a policy, chances are that your users will be attaching sticky notes to the undersides of their desks and the backs of their monitors to serve as aide memoirs – and that will obviously decrease your security.