What's a strong password .. really ?

  • The reason for the 14-character password in Windows things comes down to the old LanManager password hashes Microsoft used to use, which would split the password into two 7-character chunks and hash them separately. It was a lot easier to crack each 7-character chunk independently than to do the whole 14-character one!

    Modern Windows tends to keep these old hashes for backwards compatibility reasons, but if you choose a password longer than 14 characters, it doesn't calculate the LM hash properly and so there's no risk of someone brute-forcing even part of your password.

  • Paul - thanks for that. I had a feeling it was something Windowy and technical - I was just trying to get "more than 14 characters" into my head.

  • paul.knibbs (5/20/2009)


    The reason for the 14-character password in Windows things comes down to the old LanManager password hashes Microsoft used to use, which would split the password into two 7-character chunks and hash them separately. It was a lot easier to crack each 7-character chunk independently than to do the whole 14-character one!.

    Thanks Paul, thats interesting and useful to know.

    paul.knibbs (5/20/2009)


    Modern Windows tends to keep these old hashes for backwards compatibility reasons, but if you choose a password longer than 14 characters, it doesn't calculate the LM hash properly and so there's no risk of someone brute-forcing even part of your password.

    So this is still true in current versions then, including Windows Server?

    Tim

    .

  • While all these accounts are good for user passwords, you may want to consider a truly random and long password for service accounts and 'sa'. Anytime we install a new instance, we generate a long random 'sa' password and lock it in a secure file/location.

    Gaby________________________________________________________________"In theory, theory and practice are the same. In practice, they are not." - Albert Einstein

  • So this is still true in current versions then, including Windows Server?

    Tim

    By default, it is in 2000 and 2003. Not sure about 2008:

    http://support.microsoft.com/kb/299656

  • Tim Walker (5/20/2009)


    RBarryYoung (5/19/2009)


    What's a strong password .. really ?

    "Rumpelstiltskin". Definitely. 😀

    That made me chortle, we clearly have similar senses of humour (or some might say lack of it!) 😛

    Tim

    In my more mischievous youth (university), I cracked two email passwords of some friends. One was a former U.S. marine, and on a lark, I typed in 'oorah', their (un?)official yell. I got in. Sometimes it's just that easy.

    Gaby________________________________________________________________"In theory, theory and practice are the same. In practice, they are not." - Albert Einstein

  • Gaby Abed (5/20/2009)


    Anytime we install a new instance, we generate a long random 'sa' password and lock it in a secure file/location.

    You mean 'sa' should have a password.....?

    :hehe:

  • Ten Windows Password Myths

    http://www.securityfocus.com/infocus/1554

  • Nice link! I learned a few things.

  • Michael Valentine Jones (5/20/2009)


    Ten Windows Password Myths

    http://www.securityfocus.com/infocus/1554

    Thanks Michael, there are a few nuggets in there...

    Tim

    .

  • Ewan Hampson (5/20/2009)


    ... He also said that at conferences - even at IT security conferences - people often leave their laptops unattended long enough for their login passwords to be hacked by this method (and we didn't get more details - probably just as well).

    I think that you should take this with a grain of salt. The real threat to a laptop that is unattended for a few minutes isn't that some sophisticated hacker will jump on it and manage to crack your password, it's that anyone with two legs and a lack of ethics will pick it up and walk away.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.
    [/font]
    [font="Verdana"] "Performance is our middle name."[/font]

  • Gaby Abed (5/20/2009)


    In my more mischievous youth (university), I cracked two email passwords of some friends. One was a former U.S. marine, and on a lark, I typed in 'oorah', their (un?)official yell. I got in. Sometimes it's just that easy.

    I did a project a while back for a mineral exploration company. Big boss there asked me to try and crack passwords, see how secure they were (sensitive data)

    I found three people with the password 'geology'

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • RBarryYoung (5/20/2009)


    Ewan Hampson (5/20/2009)


    ... He also said that at conferences - even at IT security conferences - people often leave their laptops unattended long enough for their login passwords to be hacked by this method (and we didn't get more details - probably just as well).

    I think that you should take this with a grain of salt. The real threat to a laptop that is unattended for a few minutes isn't that some sophisticated hacker will jump on it and manage to crack your password, it's that anyone with two legs and a lack of ethics will pick it up and walk away.

    True. And he didn't say he'd done it, just that the window of opportunity was there. Though there might be more commercial gain in determining the password for later use, leaving the laptop as it was, and tiptoeing quietly away.

  • You're right about the weakest link being the human. An eminently forgettable password is no use.

    My favorite mnemonic method is to take a quote, e.g. "To be or not to be, That is the question."

    With a few obvious substitutions, this converts naturally to the following inscrutable password:

    "2bon2b,Titq."

    (That is not my password, BTW!).

    When a password expires, I either pick another sentence or tweak some of the special characters.

    On the topic of raising awareness of the importance of password strength, I heard of a place where the sysadmin regularly ran a password cracking program. Those people with passwords which he couldn't break got an honorable mention!

    Mark Dalley

  • The way I like to make a password is to combine first and last names.

    John Smith becomes sJmoihtnh. Capitalize, as needed.

    Can be hard to remember, but is easy to refigure.

Viewing 15 posts - 16 through 30 (of 37 total)

You must be logged in to reply to this topic. Login to reply