I have been reading this article about passwords and how easy it is to hack a server when you do not have secure passwords – Hacked Via RDP: Really Dumb Passwords — Krebs on Security.
One of the things that stands out is that the Local Security Policy on Windows is wrong in that “Password must meet complexity requirements” setting should always be set to “Yes”. The definition is quite clear cut:
This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Enabled on domain controllers.
Disabled on stand-alone servers.
Note: By default, member computers follow the configuration of their domain controllers.
(Emphasis on the “user account name” part is mine). Where I believe the settings are incorrect is in the “Disabled on stand-alone servers”. If a computer is able to be reached remotely via RDP then it MUST have “Password must meet complexity requirements” set to “Yes”. This should be a requirement of enabling the Remote Desktop Protocol.
This would negate ALL the attacks in the Krebs article.
Also, we have found that MOST companies that store passwords in an encrypted manner use an unsalted MD5 hash. While this is a one-way encryption it is very easily defeated by rainbow tables. For example, let’s take a simple password and get it’s MD5 hash:
MD5(‘password’) = 5f4dcc3b5aa765d61d8327deb882cf99
Now, let’s use MD5 Online to “crack” this password by doing a simple reverse lookup:
Found : password (hash = 5f4dcc3b5aa765d61d8327deb882cf99)
Ok, so unsalted MD5 hashes are not a good idea with common words. What we suggest is that YOU take responsibilty for adding your own “salt“, eg:
MD5(‘$$password$$’) = 213a95dfa43321c74cf0b5c843afbe6e
using MD5 online again we find:
No result found in our database.
Obviously this is only as good as the “salt” that you choose – but make sure you have a number of different special characters in your password and DON’T DO letter substitution:
MD5(‘p@55w0rd’) = 39f13d60b3f6fbe0ba1636b0a9283c50
MD5 Online can easily find this password – even though it’s not a real word!