1

I have always used long passphrases for my own Windows user accounts. But I know some people who use moderately common passwords (we'll say they're in the top 1,000 most used passwords, but not in the top 100).

From Why do we lock our computers?, I see that locking protects you from attackers who are unskilled or not prepared, and can even slow down prepared attackers for a few minutes. But if a capable attacker is alone with your computer for any extended period of time, they can get in if you don't have full-disk encryption.

Does it make sense to use a strong account password (that is, something not in any password list)? Nobody is going to try the top 1,000 passwords if they're alone with your computer for a few minutes, and if they're with your computer for longer than that they can use other means.

Suppose RDP is disabled on the computer and the administrator account has a lengthy, unique passphrase. We'll also suppose that the user's password is not one they use elsewhere. Is there any attack that becomes easier if a non-administrator user password is in a list of common passwords?

Fire Quacker
  • 2,432
  • 1
  • 19
  • 29
  • password strength (entropy) does so much more for your security than prevent somebody from manually logging in by trying random passwords at your log-in screen. This topic is way too large for me to cover in one answer on stack exchange though... – DarkMatter Jul 05 '19 at 16:52
  • Corporate accounts often have access to email's, which may contain sensitive information (although email is not meant to store such information, it does happen.... a lot!) Single Sign On to other applications is another example why users should be required to have strong passwords. Passwords in the top 1000 list are not considered strong. – Jeroen Jul 05 '19 at 18:07
  • @Jeroen-ITNerdbox In this particular case, we'll suppose that this is a local user account, not a domain account. So it's not tied to anything not on the computer itself (other than whatever programs happen to be left open and signed in--but again, an attacker could use other means to get into the computer and access those). – Fire Quacker Jul 05 '19 at 18:24
  • Alright, I did not catch on to that in your message. Browser cache, history and saved credentials would also be available to an attacker in this scenario. Even credentials to shares or their hashes would be available. Also from an audit trail perspective, this is considered a bad practice. Impersonation attacks as we call them. – Jeroen Jul 05 '19 at 20:44

1 Answers1

2

Here's the thing: If you're not using full-disk encryption, an attacker can boot from a live OS and plant malware in less than ~2 minutes on any account. Even the administrator account! If encryption is not enabled, a strong admin password does nothing.

So full-disk encryption should always be used.

However, it's good practice in general to always use long and strong passwords. Users should be in the habit of doing this. The layperson doesn't understand much of how computer security works. They don't know or care whether or not a computer is encrypted. But if they're in the habit of using longer passwords, this makes their systems more secure the moment that encryption is enabled.

If full-disk encryption is enabled, the password length/strength will determine how long it takes an attacker to decrypt data.

Also, using a longer or more complicated password makes it harder for someone to stand over your shoulder and just take note of your password as you're typing it in. You'd be surprised at just how many times this simple attack is successful in corporate environments.

Also,

Nobody is going to try the top 1,000 passwords if they're alone with your computer for a few minutes

Ever heard of ophcrack? If you use one of the top 1000 most used passwords, it can be cracked within seconds. However, this attack can also be mitigated by using full-disk encryption.

If full-disk encryption is not used, using a stronger password prevents only the attacks that require the least amount of skill, such as ophcrack, wherein a script kiddie basically only has to boot from a disk and it'll do the rest by itself. The system still remains vulnerable to many other attacks, such as the one which uses a live OS.

Edit: As OP very correctly points out, having a strong admin password on an unencrypted PC only helps in case an attacker has gained remote access to a non-admin account, which makes privilege escalation attacks harder, and any unauthorized access to data or planted malware remains limited to the single non-admin account that was compromised.

undo
  • 2,075
  • 2
  • 12
  • 18
  • Shoulder-surfing is a good point. As for ophcrack, if the attacker could run ophcrack, couldn't they reset the password already? But ophcrack could be faster (and leave fewer tracks). The admin password should make it harder to escalate privileges in cases where an attacker does not have physical access (ie, they have RCE as the non-admin user). _Users should be in the habit of doing this [using long passwords]_ - That is _so_ hard to convince people of. About 90% of the people I've discussed passwords with think I'm a paranoid freak. – Fire Quacker Jul 05 '19 at 19:18
  • 1
    @AndrewMyers `ophcrack` is actually slower than resetting the password, but it indeed leaves fewer tracks (if any). RCE as a non-admin user is also good point, I was (perhaps wrongly) approaching the question as if the attacker has physical access to the system. I understand that it's hard to convince people to use strong password - humans are lazy animals after all - but we shouldn't give up. – undo Jul 05 '19 at 19:28