Some Password Myths To Note
Ensuring your password security....Some Password Myths To Note:
Which ones did you believe to be true??
Myth #1: My Password Hashes Are Safe When Using NTLMv2
Myth #2. Dj#wP3M$c is a Great PasswordWindows 2000 still often sends LM or NTLM hashes over the network and NTLMv2 is also vulnerable to in-transit (also known as replay) attacks. And since LM and NTLM password hashes are still stored in the registry, you will still be vulnerable to attacks against the SAM.....It will still be some time until we are completely free from the grips of LanManager. Until then, do not assume that your password hashes are safe.
Myth #3. 14 Characters is the Optimal Password LengthA common myth is that totally random passwords spit out by password generators are the best passwords. This is not true. While they may in fact be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm. It is easy to create passwords that are just as strong but much easier to remember. Patterns, repetition, rhymes, humor,phone numbers, addresses, names, file paths, email addresses and even offensive words all make passwords that we will never forget
Myth #4. J0hn99 is a Good Passwordwith newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail......
With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters
Myth #5. Eventually Any Password Can Be CrackedA better approach is to be less predictable. Rather than replacing "o" with "0", try replacing "o" with two characters such as "()" as in "j()hn". And of course, making your password longer will make it even stronger
Myth #6. Passwords Should be Changed Every 30 Daysyes, eventually any password can be cracked, but eventually may not fall in your lifetime. So unless you have the Government hacking away at your passwords, chances are you are pretty safe. Of course, advances in computing power may some day make this myth a reality.
Myth #7. You Should Never Write Down Your PasswordRequiring frequent password changes often causes users to develop predictable patterns in their passwords or use other means that will actually decrease the effectiveness of their passwords. A more realistic time for the average user may be 90-120 days. If you give users more time, you may find it easier to convince them to use better passwords
Myth #8: Passwords Cannot Include SpacesSometimes passwords need to be documented. It’s not uncommon to see a company in a panic because their admin just quit, and he's the only one who knows the server password. You should discourage writing down passwords in many situations, but if writing them down helps or is necessary, be smart about it. consider allowing users to save passwords in software-based password storage utilities. These utilities allow a user to store many account passwords in one central location, locked with a master password. If you know the master password, you gain access to your entire list of passwords. But before allowing users to save passwords in such tools, consider the risks: first, it is software-based and therefore can itself become a target of attack, and, second, since it is all based on a single master password, that password becomes a single point of failure for all the user's passwords. The best technique is to combine technology, physical security, and company policy. A sticky note on the monitor is not a good policy.
Myth #9: Always Use Passfilt.dllit will make your password more complex, it does nothing to help you pass Windows complexity requirements..... one drawback with spaces is that the spacebar makes a unique noise when tapped. It is not hard to hear when someone uses a space in their password. So use spaces, but don't overuse spaces
Myth #10: Use ALT+255 for the Strongest Possible PasswordPassfilt.dll is a component that will enforce strong user passwords.some users may find it frustrating when their passwords are rejected because they are not complex enough. Even experienced administrators have likely had to enter multiple passwords before finally getting one that does pass complexity requirements. Frustrated users certainly are not going to be giving you or your password policy much support.
http://www.securityfocus.com/infocus/1554It common to see recommendations to use high-ASCII characters as the ultimate password tip. High-ASCII characters are those that cannot normally be typed on a keyboard but are entered by holding down the ALT key and typing the character's ASCII value on the numeric keypad. For example, the sequence ALT-0255 creates the character <ÿ>a five-character password made up of high-ASCII characters will require 25 keystrokes to complete. With 255 possible codes for each character and five characters, the total possible combinations are 255^5 (or 1,078,203,909,375). However, a 25-character password made up of only lower-case letters has 26^25 (or 236,773,830,007,968,000,000,000,000,000,000,000) possible combinations. Clearly, you are better off just making longer passwords.
Reply With Quote
