“So this is my first ever blog entry and seeing as how I’m a senior member of the PSS Security Incident Response team, you may think I’ve stopped taking my medication by opening with a title like the one above! Medication issues notwithstanding, it’s true – you should NOT be using passwords of any kind. Why? For starters, passwords are ridiculously easy to guess or crack. Worms like Agobot / Phatbot / Polybot / SDBot / RBot (no I didn’t write this one) all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they’ve cracked from other systems.
As an example of what I’m talking about, check out Symantec’s write-up of this little nasty that we encounter on my team just about every day.
“Worse, still, attackers (either automated or human) don’t even need to GUESS the password. There are hacking tools aplenty that will let a miscreant sniff your network traffic to scoop out authentication material for the LM, NTLM, and Kerberos protocols and then brute-force that material back into a working password. Sure you can protect the network with segmentation, encryption (IPSec, etc.), and even 802.1x – and I’m a big fan of all of these concepts – but really they just work around an issue that you still need to address: the inherent vulnerability in your network which is the password.
“So here’s the deal. I don’t want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase, you ask?” […]