Should You Write Down Your Passwords?

  • The password quandary, it's one dynamic subject. Well, I'd just like to address the complexity and cracking portions. Complexity ... well we require

    3 of the 4 following criteria upper case/lower case/number(s)/special

    character(s) and minimum length of 8 are the site standard here for normal users. Now for those in systems administrative positions (Windows Admins & SQL Admins like myself) the same requirements apply but the length is 12.

    Our password policy for changes is every 90 days for users, every 45 days for administrators with a password memory of the last 10 or 12. I personally have a domain user, domain admin and enterprise admin accounts to remember.

    All of them are

    16 characters long and they are not written down nor do I have them memorized ! How do I do it, well they are just shifting patterns of from

    2 to 4 keys on both the right and left hands that get randomly performed.

    Here is a simple example:

    left hand does 12er

    right hand does .,LK

    left hand does zxcv

    right hand does -0po

    Nonsensical and simple, but it works. One could even skip keys, go across rows diagonally or even type a box or a rectangle (just imagine your keyboard is a primitive dot matrix). After 2 or 3 times it's almost like an automatic reflex. Then again you could go with pass phrases, but the old Unix geek in me hates to type !

    Now on to 'cracking' ... we just performed an audit using LoftCrack with all the dictionaries and hash tables that were available. Within les than 1 day it had figured out 95% of our organizations 1500 Windows accounts. The remaining accounts took another 2 days. However there were

    4 accounts that could not be deciphered (2 of them were mine). My manager killed the 'crack' process after it had run for 1 week (the server it ran on was a DL580 with quad 3.0 Gh Xeons and 4 Gb of RAM, not a wimpy box). What we found out was that the secret for most Windows 'crack' was the password had to be less than 14 characters (remember LanMan ?). It seems that 2 versions of your encrypted password are stored - one LanMan (if it's 14 or less characters) and the Windows encrypted one (up to 128 characters). All of the passwords that were 'cracked' were via LanMan, a handful using brute force dictionary attacks of Windows were also found. So the biggest thing one could do would just to lengthen the password requirement to 15 or more characters. Now I'm thinking pass phrases again but the smart part of me is thinking like a 'primitive oblong dot matrix with 48 to 102 pins' ...

     

    Rudy Komacsar * Senior System Engineer/Database Administrator * Porter

    Office: 219.531.7904 * Email: rudy.komacsar@porterhealth.org

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

  • Wow, thanx for the input.

  • Personally,  it is getting kind of scary, for if someone really wants the info they could get it... someone said once here, locked doors only keep honest people out, and I think that stands.

    What would take the edge off of things if there is a problem, that the companies and people that could be notified, say the credit bureau, or the municipalities have a softer stance on errors and ommissions. 

    For as we move further away from recording down things on paper or something permenent, the less verifiability can be assumed about the data. 

    Though I could see an end to the hardware layer being the point of blame.  Maybe raid10 hard disk cartridges? ( ten ipods strapped together might due) Where in the event of a partial failure on the drive(s?) no data is lost.

    And arrays of these disks are reasonable, the consumer keeps one 'tied' to the home network for comparison of his personal data, a return where if your data at home and permission matches the data on the site in question then it can be opened.  (now this means obviously all people have homes... a much more difficult problem I suspect)

    Instead of 'you've got mail'... maybe 'you have an ...info request, do you accept... it is from Dr. Golfer and the medical institute to share your gall bladder info for a study.... etc... this system might bring a smile to my face.

    Have a great day everyone, and happy national sporting...

Viewing 3 posts - 16 through 17 (of 17 total)

You must be logged in to reply to this topic. Login to reply