6/15/2005 -- Everyone knows that keeping user passwords secure is crucial to a secure network. For years you’ve been required to implement passwords that are long and complex enough to beat password crack tools. With the advent of Rainbow Tables, the requirements to make passwords longer and more complex have increased. In this article I'll discuss some methods you can implement to make your passwords more secure against Rainbow Tables.

What Is a Rainbow Table?
Rainbow Tables are pre-generated hash tables that include the hash results of all the different combinations of password characters and lengths possible. The tables bypass the concept of brute-force attacks which are used by older crack tools such as L0phtcrack. Rainbow Tables can determine passwords up to 12 times faster than other crack tools, as they only require that a comparison be made, unlike a brute-force attack. (You can read more about Rainbow Tables here).

Defending with Windows Settings
A default user password in a Windows Server 2003 Active Directory domain has the following requirements:

• At least seven characters long
• Must contain three of the four different types of characters (upper case, lower case, numeric, special)
• Can’t include the username
• Can’t include the logon name

To defend against Rainbow Tables, you need to increase the password length to the maximum length possible, yet short enough for users to memorize. Keep in mind that a seven-character password is not that difficult to crack using Rainbow Tables. Therefore, you should keep your minimum password length between 12 to 20 characters. We’ll talk about how users will work with these longer passwords in just a minute.

Your domain controllers will enforce these password restrictions for all domain user accounts. Unfortunately, domain controllers do two things that make even strong and complex passwords vulnerable. To protect against domain controllers performing these two fatal mistakes, you’ll want to configure the following two Group Policy Object (GPO) settings, which are both located at the following node in a GPO:

  Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options

• Network Security: LAN Manager authentication level - This setting by default forces the domain controller to also send the LM password hash to the client when a user authenticates. This password is extremely weak and can be cracked with L0phtcrack very quickly, even without Rainbow Tables. This setting should be set to not send LM responses and to refuse any LM authentication requests.
  
• Network Security: Do not store LAN Manager hash value on next password change - This setting by default forces the domain controllers to store the LM password hash, even if the client that authenticated the user is using a more secure authentication protocol such as NTLMv2 or Kerberos. To prohibit the domain controllers from storing the weak LM password hash, configure this policy as Enabled.

Helping Users with Longer Passwords
Instead of thinking of long passwords, such as "Ty6$nM#4s," consider using passphrases. A passphrase looks something like:

  Boston Red Sox in 2004

or:

  I live in AZ where the average temperature is 105 degrees

Notice that this is much easier to remember than the password that was just referenced. Also, this passphrase meets all the requirements for length and complexity. Users will be able to remember their passphrases much easier than shorter passwords that are simple words with no contextual meaning. With longer passphrases, Rainbow Tables don’t have much of a chance in getting to us.

Goodbye Rainy Days
Rainbox Tables are a great idea and effective against most user passwords; but as the passwords increase in length so do the table sizes, making the tool more and more ineffective. With Windows settings that can prohibit the use of weak LM password hashes along with increased password lengths, Rainbow Tables lose their ability to break our passwords. (If you need more assistance with getting passphrases to work with your system, go here.)