Protecting The Password File

protecting the password file

Seems like passwords on public facing web services are being cracked hundreds of thousands at a time these days. And we’re not just talking about Mom ‘n Pop businesses either. Linked In, Yahoo, and Last.FM, have had password-related hacks, just to name a few that have happened recently. Details tend to be sketchy on these stories, but most revolve around protecting the password file, or the failure to do so.

It seems that the universal response to these incidents is always to tell user to change their passwords, use stronger passwords, stop using the password across multiple services. That’s all good advice because its something that can be done immediately and at relatively small cost to the company. But it’s also more inconvenient for the end user’s and it doesn’t address the fundamental vulnerability in the system, which is protecting the password file.

When hacker’s attack a system through compromising passwords, they don’t pull up the web page and randomly pluging in user IDs and passwords into the logon screen. First of all, that’s way too slow even with automated tool. But more importantly, that activity can easily be monitored and detected. If there are too many failed logins, people will notice and take corrective action.

Instead, hackers target the controls protecting the password file. Theymanage to penetrate the IT infrastructure, compromise the servers, and steal the password file, which typically contains hashes of the password. Once the attacker has password file, they can use tools offline to test hundreds of  thousands of passwords at a time against the password file in a brute force attack. Because this is done offline on the attacker’s machine, no one knows the attack is happening until the passwords have already been compromised.

So yeah, it’s good to have strong passwords and all that. But the fundamental problem is that companies are unable to protect their password files from theft. Despite all the many and varied technologies available, firewalls, network intrusion protection, configuration monitoring, operating system access controls, etc etc. Hackers are still managing to gain access to the IT environment and steal the one file everyone in the IT shop knows is a target, the password file.

New Technology for Protecting the Password File

Today, RSA announced a new offering called Distributed Credential Protection, which claims to “scramble, randomize, and split your passwords into multiple locations.” The details of the offering are still unclear to me, but it doesn’t sound like a technology for protecting the password file. Instead it sounds to me like a technology to replace password files with an infrastructure that makes it much harder to steal the stored passwords so that there is no longer a single file point of failure.

I have to give RSA kudos for at least correctly identifying the the root problem is protecting the password file and addressing it. Sounds like this offering would make protecting the password file obsolete or irrelevant by spreading the contents among multiple machines that would have to be compromised.

It forces me to ask the question, do we really need a purpose-built infrastructure for protecting the password file contents?  Is there no other way to keep a single well known file on a server protected? We have all these other IT security controls at our disposal and somehow we can’t protect the one file we know needs protection.

There are hundreds of thousands of compromised passwords that would seem to say that drastic measures are needed.

Comments

  1. Pierre Ernst says

    Interesting,
    are you sure the hacks you’ve mentioned were not due to SQL injection instead?

    You are right that /etc/passwd is word-readable (-rw-r–r– root root), but it does not contain hashed passwords.
    Password shadowing has been used since 1988 according to http://en.wikipedia.org/wiki/Shadow_password#History

    Tools like “John the Ripper” require the /etc/shadow file (-rw-r—– root shadow)

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *