VP of IT claims he unhashed 100% of all 16k employees' PWs. Is he lying to us?
The only realistic way that 100% of passwords got cracked is if you're storing LM hashes on windows. LM hashes split into 2 seven character chunks making brute force/rainbow table attacks practicable (they're also case insensitive for added ease). Rainbow tables exist for this and it's easily do-able.
Outwith that, anyone with 10+ character passwords that aren't in a dictionary (or findable by mutating dictionary words) aren't going to get cracked on any reasonable system, even with weak algorithms (e.g. md5) and no salt. AFAIK rainbow tables aren't practical on passwords that long (for reference free rainbow tables have a 2.8 TB pack of MD5 hashes which tops out at some nine character passwords (not full char set).
One point I would make is that if I was the VP of IT I'd be concentrating on getting rid of LM hashes rather than just telling people about good password practices for the very reason that he was able to retrieve 100% of passwords :)
There's a few possibilities here, some of which have already been called out. Any of these would make it fairly trivial for your VP (IT) to have "decrypted all user passwords" regardless of the definition he's using for "decrypted".
- The passwords in question are, in fact, being stored with reversible encryption.
- Your VP may be referring to passwords for an in-house web application, where they chose to use encryption rather than hashing.
- Your VP may actually be referring to Windows passwords, and your company's group policy enables storage with reversible encryption.
- The passwords your VP is referring to are stored using weak hashing algorithms, and/or are being hashed without per-user salts.
- The LM hash is one example of a weak algorithm, which is common to Windows implementations that are optimized for backwards-compatibility.
- Failure to use a per-user salt makes dictionary & rainbow table attacks much easier.
- The passwords your VP is referring to may actually be stored in plaintext, and he's just saying they were "decrypted" to hide the fact that they were never encrypted/hashed in the first place.
- Your company's employees actually do all use very weak passwords.
- Regardless of how random your password is, 8 characters has not been considered "strong" for quite some time.
I consider item 4 on that list to be rather unlikely, so unless any of the other three are true it is quite possible your VP is exaggerating just a bit. However, unless you have the ear of someone at the C-level of your company, I doubt there's much you can do to change anything except the actual strength of your own password. To that end:
- Some people say "12 is the new 8". I say go for 15. This will not only make the password naturally stronger, but it will also prevent Windows from storing it in the weak LM hash format. The LM hash can only handle passwords up to 14 characters long. Windows may throw a warning message when you change your password to be 15 characters or more in length, but this can (in most cases) be safely ignored.
- Don't use the same password across multiple applications. At the very least, I suggest keeping your work password different from passwords used for personal accounts. Ideally, no two applications should use the same password.
- Keep up the rest of the good stuff you're doing. Randomly generating your passwords from a full ASCII character set is great. Just make sure that the end product includes all four character types, and no real words.
"Decrypted" is not the right term. That is, the passwords might be encrypted instead of being hashed, but then decryption would be straightforward by whoever knows the encryption key (which is also the decryption key); it would make no sense to apply cracking tools like John the Ripper.
Therefore, your VP is using approximate terminology. It is thus plausible that he might have used approximate syntax and grammar as well. Most probably, they submitted the 10k+ passwords to the cracking tools, and broke some of them (a substantial enough proportion to mandate a VP intervention, but not all of them). His use of "all" is just, let's say, overly emphatic enthusiasm.
Now I am ready to believe that he could broke half of the passwords. It has been documented that the Morris worm, back in 1988, could break about 10% of existing passwords with a dictionary of less than a thousand words...