This paper shines a spotlight risk management, particularly on the dogma and BS in security "best practice", and utilizes primary research in password strength and compromise as a case study to blow the lid off password mythology.

1. © Copyright 2006, Dan Houser, All rights reserved
Debunking
InfoSec Myths
Dan Houser
CISSP-ISSAP
Director, (ISC)²
March 2, 2010
Copyright © 2010
Daniel D. Houser
Presumed copyright of DC Comics and Alex Ross
Source: www.alexross.com/dblD/758.html

2. © Copyright 2006, Dan Houser, All rights reservedWell…. Maybe not that kind of Mythbuster…

3. Copyright © 2010 Daniel D. Houser
• Of Shaman, Bones, Tea Leaves, Leeches & Poultrices
• Best Practice
• Lies, Damn Lies & Statistics
• Detailed Dive into password mythology
• Q&A
Overview

4. Shaman Without Shame
Shaman
• Tribal Group
• Power = Reputation
• Arcane & Secret
Knowledge
• Shaman gatherings to
exchange knowledge
• Early medicine & science
• Wrath of gods for
questioning the shaman
and knowledge
• Much error
InfoSec Practitioner
• Workgroup / Department
• Power = Reputation
• Best Practice & “Need to
Know” shroud of secrecy
• Information Security
Conferences / Events
• Early science
• Wrath of security for
questioning practices,
opinions, findings
• Much error

5. Comfort with Being a Shaman?
• We associate our profession
with Computer Science
• Calling it a science does not
make it so
• Very few practice science
• Best Practice vs. Mythology
Science vs. Dogma
Show me the money
Show me the data
• Let’s examine mythology
Courtesy Salmon Chanted Evening-
2001

6. Bald Tire Scenario
Risk?
Kudos: Jack Jones

7. What can we learn of risk mythology?
Risk Myths
• Environment is critical – risk cannot be determined in
isolation from the environment
• Possibility not the same as Probability
• A vulnerability without a threat is no risk
• A threat without a threat agent poses no threat
• Threat agents without capabilities pose no threats
• A threat and vulnerability without value poses no risk

8. Best Practice
Best Practice? Best?
For Who? Where? When? What?
What security does the NSA need?
What security does a limo company need?
We must kill the mythology of Best Practice
Sufficient practice? Good practice? Adequate steps?
One recommendation:
Appropriate & reasonable measures of due care

9. Best Practice
What makes for a good myth?
- Misunderstanding of risk
- Misunderstanding environment
- No bologna detection
- Lack of academic approach
- Vendors have to eat

10. More Bones, Leeches, and Poultices
Windows is less secure than Linux
Linux is less secure than Unix
Worms start in labs
Internet transactions must be encrypted to be
protected
The contract will protect us
Internet is untrusted, core network is safe

11. More Bones, Leeches, and Poultices
A firewall can offer me complete protection at the
gateway.
My users are not smart enough to install and run rootkits,
sniffers or password crackers
My users are smart enough not to fall for social
engineering tactics
Network intrusion detection systems are sufficient to
secure my network
Intrusion Prevention works
With that next silver bullet, we’ll be safe at last

12. More Bones, Leeches, and Poultices
eMail security is not an issue for me because my state bar
does not require lawyers to encrypt e-mail to preserve
the attorney client privilege
My users have antivirus software on their home PC -
that's all I need to worry about
Only big corporations are targets for hackers
My developers and engineers have read our corporate
security policy, and refer to it when making decisions

13. More Bones, Leeches, and Poultices
Information security is a technical issue
The policies are written. My work here is done.
Adding another firewall will protect us
Adding another product will protect us
We’re good, it’s using SSL.

14. Password Mythology
Much mythology exists in password security
• 30 day expiry is a good number
• Long passwords = strong passwords
• Definition of a strong password:
– Mixed case, alphanumeric, special character, 10+ characters.
– T!$oc¥w~m9B¬sQ» is a better password than 39104 or yotozod
• Wait! You mean, it’s not?
• Well no. Randomized, highly complex passwords are designed to
defeat a single attack: password cracking through brute force.
• How many attacks are there against passwords?

15. Copyright © 2010 Daniel D. Houser
How many password attacks?
Cracking
01 Acquisition
02 Host Attack
03 Copying Passwd
File
3 1 4 3 : 0.028
04 Server/DASD
Theft
2 2 2 3 : 0.074
05 Buffer overflow
3 2 3 3 : 0.074
06 Malware on host
3 3 3 3 : 0.111
07 Database/index
manipulation
3 2 2 3 : 0.111
08 Code backdoor
3 3 2 3 : 0.167
09 Time Manipulation
2 3 4 2 : 0.375
10 SW Substitution
4 4 1 3 : 0.593
11 Log Acquisition
3 1 4 1 : 0.750
12 HW/Firmware
Tamper
5 5 1 3 : 0.926
13 Memory Capture
5 4 1 2 : 5.0
14 Key Mgmt Attack
5 4 1 2 : 5.0
15 Pointer
manipulation
5 4 1 2 : 5.0
16 Seed / IV
Tampering
5 4 1 1 : 20.0
17 Reverse Engineer
host
5 4 1 1 : 20.0
18 Offline Attack
19 Pwd Brute Force
2 2 2 3 : 0.074
20 Backup tape
attack
3 2 2 3 : 0.111
21 Social Engineer
1 1 2 2 : 0.125
22 Crypto brute force
5 5 1 3 : 0.926
23 Terrorist Attack
(DOS)
2 2 1 2 : 1.000
24 Key Mgmt Attack
4 3 1 2 : 3.0
25 LED/Optical
Interception
5 4 1 1 : 20.0
26 Emanation
5 5 1 1 : 25.0
27 Client Attack
28 Time Manipulation
2 1 2 1 : 1.000
29 Cookie Tampering
3 2 2 1 : 3.0
30 Malware on client
3 3 3 1 : 3.0
31 SW Substitution
3 3 2 1 : 4.5
32 Reverse Engineer
5 4 2 1 : 10.0
33 Keystroke Timing
Analysis
4 3 1 1 : 12.0
34 Low/High Voltage
Attack
5 4 1 1 : 20.0
35 Memory Capture
Analysis
5 4 1 1 : 20.0
36 Temperature
Attack
5 4 1 1 : 20.0
37 Radiation/R.F.
Attack
5 4 1 1 : 20.0
38 HW/Chip/
Firmware
Substitution
5 5 1 1 : 25.0
39 Network Attack
40 Sequence
Guessing
3 1 3 2 : 0.250
41 Packet Sniffing
3 2 3 2 : 0.500
42 Infrared/Wireless
Capture
3 3 2 2 : 1.1
43 Man-in-middle
5 3 1 2 : 3.8
44 Traffic Analysis
5 4 2 1 : 10.0
45 Covert Channel
Acquisition
5 4 1 1 : 20.0
46 CRL / OCSP
Diddling
5 4 1 1 : 20.0
47 Cleartext
Acquisition
48 Host Cleartext
49 Pwd File Tamper /
Replace
3 2 2 3 : 0.010
50 Malware Cleartext
3 3 2 3 : 0.015
51 Spoofed Pwd
Reset
4 3 2 3 : 0.020
52 Session Hijack
4 1 3 2 : 0.030
53 Network Cleartext
54 Packet Sniff/
Cleartext Pwd
2 2 2 2 : 0.045
55 Replay
4 2 2 2 : 0.091
56 AuthN / AuthR
Spoof
5 4 2 2 : 0.227
57 Client Cleartext
58 Shoulder Surf
1 1 4 1 : 0.023
59 Keyboard Logger
2 2 3 1 : 0.121
60 Video/Audio
Capture
2 2 2 1 : 0.182
61 malware/spyware
3 3 3 1 : 0.273
62 Fake Pwd Dialog
3 3 2 1 : 0.409
63 Van Eck
Phreaking
5 4 1 1 : 1.8
64 Offline
65 Social
Engineering
1 1 3 3 : 0.001
66 Unlocked screen
(host)
1 2 3 3 : 0.002
67 Admin Collusion
3 2 2 3 : 0.010
68 Bribe
1 4 1 3 : 0.013
69 Unlocked screen
(PC)
1 1 5 1 : 0.018
70 Force
1 2 2 2 : 0.023
71 Extortion
2 2 1 2 : 0.091
72 Pwd Control
Tampering
4 2 2 2 : 0.091
73 Identity token
Theft
2 1 1 1 : 0.182
74 Fingerprint spoof
(biometric)
4 2 1 2 : 0.182
75 Disclosure /
Written down
1 1 5 1 : 0.200
76 Token Attack (e.g.
magstripe)
5 4 1 2 : 0.455
77 Physical
impersonation
4 2 1 1 : 0.727
78 Forged Identity
Documents
3 3 1 1 : 0.818
We counted 68

16. Copyright © 2010 Daniel D. Houser
Password Attacks: Top Level Attack Tree
Cracking
01 Acquisition
02 Host Attack 18 Offline Attack
27 Client Attack 39 Network Attack
47 Cleartext
Acquisition
48 Host Cleartext 53 Network Cleartext
57 Client Cleartext 64 Offline
Attacks
yielding
ciphertext
Attacks
yielding
CLEARTEXT

17. Copyright © 2010 Daniel D. Houser
Password Attacks: Details, Acquisition
01 Acquisition
02 Host Attack
03 Copying Passwd
File
3 1 4 3 : 0.028
04 Server/DASD
Theft
2 2 2 3 : 0.074
05 Buffer overflow
3 2 3 3 : 0.074
06 Malware on host
3 3 3 3 : 0.111
07 Database/index
manipulation
3 2 2 3 : 0.111
08 Code backdoor
3 3 2 3 : 0.167
09 Time Manipulation
2 3 4 2 : 0.375
10 SW Substitution
4 4 1 3 : 0.593
11 Log Acquisition
3 1 4 1 : 0.750
12 HW/Firmware
Tamper
5 5 1 3 : 0.926
13 Memory Capture
5 4 1 2 : 5.0
14 Key Mgmt Attack
5 4 1 2 : 5.0
15 Pointer
manipulation
5 4 1 2 : 5.0
16 Seed / IV
Tampering
5 4 1 1 : 20.0
17 Reverse Engineer
host
5 4 1 1 : 20.0
18 Offline Attack
19 Pwd Brute Force
2 2 2 3 : 0.074
20 Backup tape
attack
3 2 2 3 : 0.111
21 Social Engineer
1 1 2 2 : 0.125
22 Crypto brute force
5 5 1 3 : 0.926
23 Terrorist Attack
(DOS)
2 2 1 2 : 1.000
24 Key Mgmt Attack
4 3 1 2 : 3.0
25 LED/Optical
Interception
5 4 1 1 : 20.0
26 Emanation
5 5 1 1 : 25.0
27 Client Attack
28 Time Manipulation
2 1 2 1 : 1.000
29 Cookie Tampering
3 2 2 1 : 3.0
30 Malware on client
3 3 3 1 : 3.0
31 SW Substitution
3 3 2 1 : 4.5
32 Reverse Engineer
5 4 2 1 : 10.0
33 Keystroke Timing
Analysis
4 3 1 1 : 12.0
34 Low/High Voltage
Attack
5 4 1 1 : 20.0
35 Memory Capture
Analysis
5 4 1 1 : 20.0
36 Temperature
Attack
5 4 1 1 : 20.0
37 Radiation/R.F.
Attack
5 4 1 1 : 20.0
38 HW/Chip/
Firmware
Substitution
5 5 1 1 : 25.0
39 Network Attack
40 Sequence
Guessing
3 1 3 2 : 0.250
41 Packet Sniffing
3 2 3 2 : 0.500
42 Infrared/Wireless
Capture
3 3 2 2 : 1.1
43 Man-in-middle
5 3 1 2 : 3.8
44 Traffic Analysis
5 4 2 1 : 10.0
45 Covert Channel
Acquisition
5 4 1 1 : 20.0
46 CRL / OCSP
Diddling
5 4 1 1 : 20.0
Legend
Attack Name
S C L i : R
S: Sophistication
C: Cost to attacker
L: Likelihood
i : Impact
R: Risk value
(Low R = High Risk)

18. Copyright © 2010 Daniel D. Houser
Password Attacks: Details, Cleartext Acquisition
47 Cleartext Acquisition
48 Host Cleartext
49 Pwd File Tamper /
Replace
3 2 2 3 : 0.010
50 Malware Cleartext
3 3 2 3 : 0.015
51 Spoofed Pwd
Reset
4 3 2 3 : 0.020
52 Session Hijack
4 1 3 2 : 0.030
53 Network Cleartext
54 Packet Sniff/
Cleartext Pwd
2 2 2 2 : 0.045
55 Replay
4 2 2 2 : 0.091
56 AuthN / AuthR
Spoof
5 4 2 2 : 0.227
57 Client Cleartext
58 Shoulder Surf
1 1 4 1 : 0.023
59 Keyboard Logger
2 2 3 1 : 0.121
60 Video/Audio
Capture
2 2 2 1 : 0.182
61 malware/spyware
3 3 3 1 : 0.273
62 Fake Pwd Dialog
3 3 2 1 : 0.409
63 Van Eck
Phreaking
5 4 1 1 : 1.8
64 Offline
65 Social
Engineering
1 1 3 3 : 0.001
66 Unlocked screen
(host)
1 2 3 3 : 0.002
67 Admin Collusion
3 2 2 3 : 0.010
68 Bribe
1 4 1 3 : 0.013
69 Unlocked screen
(PC)
1 1 5 1 : 0.018
70 Force
1 2 2 2 : 0.023
71 Extortion
2 2 1 2 : 0.091
72 Pwd Control
Tampering
4 2 2 2 : 0.091
73 Identity token
Theft
2 1 1 1 : 0.182
74 Fingerprint spoof
(biometric)
4 2 1 2 : 0.182
75 Disclosure /
Written down
1 1 5 1 : 0.200
76 Token Attack (e.g.
magstripe)
5 4 1 2 : 0.455
77 Physical
impersonation
4 2 1 1 : 0.727
78 Forged Identity
Documents
3 3 1 1 : 0.818
Legend
Attack Name
S C L i : R
S: Sophistication
C: Cost to attacker
L: Likelihood
i : Impact
R: Risk value
(Low R = High Risk)

19. Password Analysis
Two camps of password controls
• Internal controls: length, composition,
age, history,
• External controls: encryption, hash,
shadow file, physical security, expiry at
reset, identification, host IDS, training,
log file analysis…..
• Three classes of attacks for which
internal password controls are effective
– Cracking: offline, dictionary or brute
force
– Guessing: online, attempting to login as
the user
– Disclosure: user writing down password
(yellow sticky attack)

20. Internal Password Controls
Myth: Internal Password Controls are effective against cracking.
False - Largely worthless against cracking (with LANMAN/NTLM passwords)
WHAT!!??!!
Imagine you’re CISO of a university.
You get a phone call – your main password file has been grabbed by a
hacker.
Do you…
a) Assure the system admin that your passwords are long, strong, complex
and highly resistent to cracking?
b) Change key passwords now.
Minimum Length History Dictionary File
Composition Minimum Age Maximum Age

21. Password Analysis
Two camps of password controls
• Internal controls: length, composition,
age, history,
• External controls: encryption, hash,
shadow file, physical security, expiry at
reset, identification, host IDS, training,
log file analysis…..
• Three classes of attacks for which
internal password controls are effective
– Cracking: offline, dictionary or brute
force
– Guessing: online, attempting to login as
the user
– Disclosure: user writing down password
(yellow sticky attack)

22. Why strong passwords aren’t strong
• Remember earlier password myth: T!$oc¥w~m9B¬sQ» is a better
password than 39104 or yotozod
• Why is this a myth?
• Inverse relationship of disclosure:
– Longer, more complex passwords are more likely to be written down
– In fact, minimum of 45%, maximum of 90% of users will write down
passwords
• Much higher incidence of disclosure than hacking
– Cracking: very low incidence
– Disclosure: 10,000 employees, with 30 day password expiry will create
66,000 to 108,000 attacks per year

23. Why strong passwords aren’t strong
• Controls to prevent password cracking and guessing have an inverse
relationship to controls for disclosure.
– Cracking defeated: T4sf!Θd¥89¬dsdBs»/E7±deË10k}l«MM°
– Disclosure defeated: flowers
– Cracking assured: flowers
– Disclosure assured: T4sf!Θd¥89¬dsdBs»/E7±deË10k}l«MM°

24. What is a strong password?
Provides a blended approach to the blended threats
Balances resistance to cracking, disclosure & guessing
Isn’t developed in isolation from environment
• What are you protecting?
• What are the most likely attacks?
• What environmental controls and safeguards are in place (external
controls)?
In our analysis:
6-character alpha, non-dictionary, 30-day expiry, 5-history showed a 4-fold
increase in password security over highly complex, traditional “strong
password”
Increasing to 8 alpha characters was virtually identical to 6 alpha characters

25. Avoiding Future Myths
Prescriptive Approach
• Tuning the bologna meter
• Team diversity (c.f. Bletchley Park)
• Missouri philosophy: Show me!
• Academia bridge
• Create a culture of questioning assumptions

26. Q&A
Surely, there must be questions???

27. Further Information
Contact info: dan.houser@isc2.org
Further info:
Houser, Blended Threat Analysis: Passwords & Policy,
Information Security Management Handbook, 5ed, Vol2.
12/2004, Auerbach Publications.