Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Your Password has Failed the Test Expand / Collapse
Author
Message
Posted Saturday, October 6, 2012 5:03 AM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, September 19, 2014 5:28 AM
Points: 587, Visits: 2,532
Comments posted to this topic are about the item Your Password has Failed the Test


Best wishes,

Phil Factor
Simple Talk
Post #1369413
Posted Saturday, October 6, 2012 8:43 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:26 AM
Points: 5,358, Visits: 8,914
Hi Phil,

I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?


Wayne
Microsoft Certified Master: SQL Server 2008
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings
Post #1369493
Posted Sunday, October 7, 2012 8:07 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 3:27 PM
Points: 35,216, Visits: 31,673
These privileges would give you control over every SQL Server instance, and if XP_CmdShell was enabled, then you could control the machine.


I disagree not about controlling the whole machine but with the suggestion that having XP_CmShell turned on causes any sort of a problem. Specifically, you're talking about someone breaking in with an "sa" prived account. Whether or not XP_CmdShell is enabled or not, you've just let someone in with "sa" privs and they can turn XP_CmdShell on just like any other "sa" prived person can. In fact, any hacker hell bent on gaining such access will be expecting XP_CmdShell to be turned off and will turn it on without missing a step.

XP_CmdShell is not the problem here. Poor security is the only problem here.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1369530
Posted Monday, October 8, 2012 9:15 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 12:16 PM
Points: 870, Visits: 2,401
I agree completely on performing password audits. PWDCOMPARE, however, is good for a first pass but not for the only pass. If you can find a password with PWDCOMPARE and without prior knowledge of the password, it's absolutely a worthless password. If you can't find it with PWDCOMPARE, you have no knowledge of its strength - it may still be an absolutely worthless password.

For actual password auditing, I highly recommend using dedicated tools like Hashcat, preferably with at least one modern, up to date graphics card (or NVIDIA Tesla card, for the industrially inclined or Amazon cloud renters) - note that SQL Server 2012 support is being added. Note also that cracking speeds against with a single machine in the $4000 price range for SQL Server 2005 through 2008 R2 passwords is now in the range of 22000000000 password attempts per second (yes, that's twenty two billion attempts per second, i.e. a one hundred thousand word dictionary with 220,000 rules applied every second... so putting three numbers at the end of a common word isn't going to help you much!).

Note that that rate allows brute force exhaustion of the entire 95^8 space (8 character cryptographically random password with all of upper/lower/number/symbol) in only about three days. 69^8 (as before, but only upper or lower case, not both) is exhausted in about 6 hours (generating an average cracking time of 3 hours, and 1 in 10 passwords being cracked in a little over half an hour).

Additionally, you can test the strength of passwords you think are secure (like the immortal "P@$$w0rd", which meets all "industry standard" windows complexity rules, and its children, "P@$$w0rd1" through "P@$$w0rd123", and all of which are some of the absolute very worst passwords in the world), with code similar to what I posted at the beginning of this year:
Here's my post on rules-based password prevalidation (i.e. is this password worth even trying to use), complete with sample code and estimations of the strengths of various sizes of completely random passwords.

ETA: Added brute force timing notes.
Post #1369880
Posted Monday, October 8, 2012 9:56 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Today @ 3:49 PM
Points: 39,886, Visits: 36,233
WayneS (10/6/2012)
Hi Phil,

I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?


Personally I use crossword word-list sites.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1369916
Posted Monday, October 8, 2012 10:40 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 12:16 PM
Points: 870, Visits: 2,401
WayneS (10/6/2012)
Hi Phil,

I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?


1) Be careful looking -
1a) Never download anything except a text file or a compressed file
2b) Virus scan everything first
2c1) Download using a LiveCD without a hard drive
2c2) Download using a LiveCD with a hard drive unmounted
2c2.5) Download using a disposable installation (install, download, wipe with DBan or another DOD wiper) - credit to GSquared
2c3) Download using a VM
2c4) Only go to known reasonable sites
2) Public domain dictionaries (1913 Webster edition, etc.) are available.
3) Name lists are available from the U.S. Census .gov site http://www.census.gov/genealogy/www/data/1990surnames/names_files.html
4) As Gail said, crossword lists
4a) English Open Word List
4b) UK Advanced Cryptics Dictionary (UKACD)
5) Linux distribution wordlists - watch for copyright and licensing, not all are licensed under GPL
5a) dictionary-common wordlists
5b) aspell wordlists (the U.S. one is under copyright, so find and read the license first)
5b1) Shell script: aspell -l $1 dump master | aspell -l $1 expand | tr ' ' '' >$1.txt
5b1i) replace $1 with the language you want to get.
6) Known cracking wordlists from reputable sources (usually cracking competition teams or security vendors)
6a) Go to any of these at YOUR OWN RISK - see 2b and 2c1.
6b) Skullsecurity
6c) Openwall
6d) Korelogic
6e) Facebook breach list
6f) phpbb breach list (very small, very good for the size)
7) Your own additions for whatever industry and company you're in or deal with, or people involved. People _love_ to have company information, personal information, etc. in their passwords, from names to cars to kids.
7a) Be clever, think up some way of using the company name that's just so clever. Try it. Repeat until you crack at least one password.
7a1) If you've got more than 50 ordinary human-generated passwords and you haven't cracked one in at least 50 tries, get someone else to try generating words and case variations. Someone more normal :).
8) Use a tally table to generate lists of dates in various formats, the last 100 and next 50 years, etc. to add to words if you really insist on using PWDCOMPARE instead of a rules based cracker; Jennifer2007 is not as uncommon a password for people with 5 year old daughters as you might think.
Post #1369950
Posted Monday, October 8, 2012 11:00 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 13,872, Visits: 9,596
Nadrek, please add to your list, "Download using a disposable machine".

I have an older desktop PC that still works. I flash (image) the drive after a clean installation of the OS and patches. Keep the image on removable media and remove the media before actually using the machine. Then I can go to all the hacker sites in the world, get the data I need, clean up the data (ASCII .txt files are pretty darn safe, after all), burn the txt files to CD cleanly, and then wipe the system and reload from the (clean) image.

It's easier and faster than you might think to do that kind of thing.

It's really easy to tell if a CD ended up with any data on it other than the txt files you wanted. And if you have auto-play turned off, it can't execute any code you don't tell it to.

This is better than using a VM for this kind of thing. Some malware can put a rootkit below the hypervisor level and thus infect the host machine instead of just the VM.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #1369958
Posted Monday, October 8, 2012 11:07 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 12:16 PM
Points: 870, Visits: 2,401
GSquared (10/8/2012)
Nadrek, please add to your list, "Download using a disposable machine".


Hmm... I'll rate that one just below the two LiveCD ones, both of which should be considerably easier than building a machine (unless you do it once and just keep restoring the image to it).

It is, however, an excellent idea, and doubly so if you want to stick with Windows. Just make sure you've got your AV installed with relatively recent updates prior to plugging in the network cable for the first time.
Post #1369962
Posted Monday, October 8, 2012 1:47 PM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 13,872, Visits: 9,596
Nadrek (10/8/2012)
GSquared (10/8/2012)
Nadrek, please add to your list, "Download using a disposable machine".


Hmm... I'll rate that one just below the two LiveCD ones, both of which should be considerably easier than building a machine (unless you do it once and just keep restoring the image to it).

It is, however, an excellent idea, and doubly so if you want to stick with Windows. Just make sure you've got your AV installed with relatively recent updates prior to plugging in the network cable for the first time.


Exactly.

Not necessary with *nix machines, really. But with Windows, if you need that for whatever reason, it's easy enough.

The whole point is build-once-restore-many.

As for AV on it, it depends on what you want to research. If you're researching virus/malware/rootkit code, then not having AV on it can be part of the point. Restore from image, surf some suspected (or known) to be malicious sites, without deliberately installing/modifying anything, then compare the current state of the O/S and disk with the image state. With the right tools, you can find just about anything that way, no matter how cleverly hidden.

For this passwords-from-malicious-sites-thing, AV is probably not a bad idea. But I operate on the assumption that it's got malware on it as soon as I start using it, regardless of whether AV says so or not, and re-flash from the image at the right point, anyway. So AV isn't really necessary at that point. Don't care if I prevent, because I'm going to cure regardless.

Another concern, of course is BIOS worms. Make sure on your system flash that you don't just do the disks, but also the BIOS. Booting from WORM media (CD/DVD/etc.) won't protect you from BIOS worms, and new ones can frequently bypass AV systems (till they get signatured), so be careful about that if you use that solution.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #1370019
Posted Monday, October 8, 2012 2:54 PM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, September 19, 2014 5:28 AM
Points: 587, Visits: 2,532
Hi Phil,

I'm curious as to the source of the password list that you utilize. Is it something that you can share a link with?


I started out with a list of every word in the English language. There are several of these around. You probably won't find these used if you have a policy in place, but if you do the usual @ and 0 substitutions as well, then a lot crawls out. I add words from books on the Gutenberg project. Capitals should be random in a good password, but they usually aren't, so a simple doubling of the list with a capital for the first letter. Then, every time there is a release of passwords from one of the security experts as ASCII files, I update the list to include them. (there are surprisingly few extra strings from this). I never never get the passwords from the hackers, only second-hand from the security experts, and then as plain ASCII.

My only purpose is to check that the passwords are reasonable. I 'm not a security expert and so I don't hack into machines. You only need to google a bit to see that the unsalted hashes are very easily decoded, and there are plenty of utilities that claim to be able to read the more recent salted hashes. I haven't tried one, but I bought a utility a while back when I locked myself out of a SQL Server entirely (long story) and it let me in in a moment by allowing me to change the passwords in windows and SQL Server!



Best wishes,

Phil Factor
Simple Talk
Post #1370059
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse