Discussion on:

Help users create complex passwords that are easy to remember

Is it ok if I get the password creation part into the company monthly newsletter?

A few points;

Firstly, if you enable the password filter how does that affect existing users? I'm especially thinking of those who have only recently updated their passwords?
Secondly, what's the correalation between password complexity and users writing it down? It's widely understood to be directly proportional, but at what level does it cease to be trivial?
Thirdly, is there any research available on preventing recycling passwords and whether this actually improves or decreases security?

Thanks

That post of mine wasn't meant to be a reply to item 1, it should have been a new item. Anyone know how I can move it?

I've seen users write down passwords that were six-letter common words or names. There isn't as much correlation between complexity and writing as there is between writing and the number of other passwords the user has, or the user's comfort level with technology.

Did any one ever respond about implementation of complex passwords.
I currently run and AD domian just using simple passwords and want to change to complex however not sure what will happen if I change my group policy settings. Will it force everyone to change their passwords at next login or will it wait for the current password to expire before requesting change?

at least I remember several options when I was studying for my MCSE. Sorry I can't remember the details. Perhaps if you clicked the ask a question button on this discussion you would be better served by starting a new thread.

This is an old thread; not to many people watching it anymore, I suspect.

How do you use the Win XP Pro's group policy to access the password filter?

stteng

I am sorry, but leet-speak is a very wrong way to go, to remember your password. This because all the major cracking-programs are able to configure this option and still work through a word-list. most of the times, it is even just a switch to pass along with the start of the program.

The best way to teach users to do this, is by asking them to remember a song, and then take the first letters from each word.
From there you can use leet-speak or add characters to the word.

Leet speak is easy to guess - think about it you are replacing obvious chars with obvious chars. Far better off using the above or just assign them a random password and enforce it for a full year - that way it can be complex and will never be broken: ie:

dkj@TREI(*89

You will be surprised how fast users can remember a complex password if they only have to remember one and dont have to renew it every 90 - 180 days

Suppose I get a hold of your password hashes and I know you require 8 characters minumum.

I can now assume on the first brute force pass that users will use only lower case letters so my initial search space is 26^8 = 208,827,064,576. However if I know that at least one of those eight characters is required to be a digit, that search space is reduced to 26^7*10 = 80,318,101,760 which is only 40% of what I had to search before. How is that better?

Seems to me if you restrict the choices a user can make you reduce the total number of passwords a cracker has to search thru.

Using real words, like City Name is not a good idea. Substituting characters like ! for i and $ for s are no better. I thought most password-guessing algorithms performed these substitutions by default. I do like the BASE + approach, but we need to get to stronger BASES.

I think the article was well written. I am able to forward it to the junior technicians and they will be able understand it, look at were the GPO is if they do not remember and explain it to the customer base in a clear way. The thing that would have sent it over the edge is to have an attached PDF of a standard company policy for password security.

If you're going to take on the effort of changing your company's mindset on password security, you might as well make the effort worthwhile. This is a great topic, but the suggestions here are weak sauce.

These password tips, at least from a Windows perspective and beyond the "do not write it down" portion, do nothing to effectively protect your passwords or strengthen overall security.

As long as your Windows environment allows LanMan hashing of passwords, most passwords, even those following the guidelines offered in this article here, can be cracked in SECONDS or minutes at the most. What's the difference if the passwords "password" and "p4$$W0rD3" can BOTH be cracked in less than a few minutes? Are you really safer because the more complex password took 8 minutes to crack while the simple one took 1 second?

At a bare minimum, shops should be eliminating LanMan hashing of their passwords and be moving to passphrases of at least 15 characters in length or more. Taking away LanMan hashes from being stored in the SAM will remove a lot of password cracking tools from a hacker's arsenal, but not all.

One of the things I remind my users of is that a phrase is much easier to remember and much harder to crack than any single word, and I've upped the minimum number of characters so that it is very difficult for them to use single words anyway. I also only make them change it twice a year, so that they don't have to remember something new every month, or couple of months, or have to write it down. Stickittotheman is much easier to remember than L0u!$v!113, and much harder for a dictionary program to crack.

agreed. Everyone can come up with a unique phrase. Then substitutions and punctuation add to the complexity.

Then I can write down something like this:

s=$ i=! h=8 a=1 s=s s=$ a=! e=5

Reading characters as they come up in order, skipping to the next instance when appropriate, the above reminds me the phrase is:

Thi$ !s t8e p1s$ phr!s5.

Adding the normal convention of sentence structure and punctuation.

Crack that. Only problem is one must remember their phrase.

cat

Adding an additional character set adds an order of magnitude to the cracking time.

- all letters is very easy

- letters and numbers is much much stronger

- using letters, numbers, and special characters, even better

- upper/lower case, letters, numbers, and special characters is very strong, even at relatively short password lengths.

As a start, have users make up passwords that combine letters and words such as go2sleep2nite or close2home. Also, putting a year in there is an easy way to add numbers while making it easy to remember:
moonlanding1969. Now throw a ! or a $ or an underscore on the end and you've got a very strong yet easy to remember password.

Of course if the password is in a text file on their desktop or on a post-it on the backside of their keyboard, that somewhat nullifies the strong password....

Disclaimer: I'm no hashing or SAM (Security Accounts Manager - where Windows stores the hashes for users' passwords) expert, so please forgive my clumsiness in these descriptions. These are courtesy of Canaudit, who did some excellent pen testing for us...

Make sure your passphrase is at least 15 characters or more. This will do 2 things:
1) Prevent the storage of your password in the SAM from getting padded out to 14 characters with nulls. Your password will be stored in 2 ASCII words - 14 bytes - no matter what its actual length is. Windows will just pad out your password to meet the 14 char minimum length needed for storage of its hash value. If I know that passwords are padded out with nulls, and I see the last few hash values are the same at the end of the 2nd ASCII word of your password hash, then I can probably assume those are nulls. Now all I have to figure out is what value used to hash a null will produce that specific hash value. Once I have that, I can then decrypt the rest of the character's hash values. By going 14 or more characters, I've prevented a known value - a null - from being appended to the end of my password when it's hashed and stored in the SAM.

2)At least with Win2K, and probably with newer versions of Windows, using at least 15 characters would prevent LanMan hash values from being generated and stored for your password in the SAM. LanMan hashes are much easier to brute force than NTLM hashes, so take away the low-hanging fruit for the password cracker by making the password at least 15 characters in length. Of course if your admins are on top of security, and you have a native Windows AD, and you aren't supporting some ancient app on your network that might rely on the older LanMan hash, the network admins can simply disable LanMan hashing and increase the difficulty of brute forcing your network's SAM.

NOTE: Even if you take due diligence and follow all the best advice, Windows can still betray you. Our pen testers were able to grab a 17 character passphrase used by one of our network admins by scanning the LSA Secrets area of Windows. What killed me is Windows stored this passphrase in there in THE CLEAR! It was at that point where I really started to understand the beef against Microsoft and their security.

One of the things that I use and advise others, is to come up with a phrase with over 10 words and that contains some numbers. You can then take the first letter from each word, do substitutions, etc. For instance the phrase "I have watched all 6 of the Starwars movies about Luke Skywalker" can generate the password Ihwa6ot$maL$ where I substituted $ for capital S. You can expand this to take the first 2 letters or the first and the last letter of each word. As long as you remember your phrase and what substitutions you used, you can then get your password.

If you're following a holistic approach to security, then you've probably got a group policy specifying desktop locking after so many minutes of inactivity. If you have to type half a paragraph to unlock your desktop each time you need to get to it, you're going to hate that long passphrase you chose.

the new password quickly. It only takes a second and a half to type a fairly long phrase.

The challenge is typing w/o being able to see what you're typing. Many users find it difficult to remember where in the phrase they are if they pick a phrase that's long and has some upper and lower case in them, as well as a number or special character. Most people aren't the greatest typists, and will experience problems. It's like trying to bang out an entire sentence without looking or errors. Most people can type 3 or 4 words without issue, but the longer the string, the more likely an error will creep in.

given organization. In the organization I was contracted to, all clients had to have keyboard proficiency.

But you right anyway; we used to find their passwords pasted under their keyboards, or on the monitor, and had to watch the policy like a hawk to keep it going.

My boss always messes his pass phrase up at least once when he is logging in. It takes him from 15 to 30 seconds to get his screen unlocked. He is a competent typist so I have to disagree with your logic.

Bill

but I am willing to bite it on the viablility for such policy to actually work for most organizations.

Perhaps fingerprint password management for passwords is the answer; I notice the Microsoft USB units are getting very affordable now..

(EDITED) I've now seen face recognitions software that seems very reliable on demo.

For many years I've taken the passphrase approach... To "generate" these I use incorrect mathematical algorithms - which sounds like I'm up my own posterior but hear me out

It actually dead simple... Lets take the phrase "one plus three equals five" as a simple example. Its mathematically incorrect so its hard to predict. As a user its dead easy to remember and as a password its complex/strong when you input as "1Plus2=Five".

To give your users a seed so they are not all using the obviously simple examples of this, tell them to make ONE (and only one) of the numbers significant to them (e.g. child's date of birth is 28th June 2006 so use 28) and vary this when they change their password. Also tell them to vary the mathematical operations they use.

Finally, increase mathematical complexity for your root/admin accounts e.g. "Square root of forty five divide by the cosine of ninety = pi" input as "2root45/COS90=3.14".

Job done.

Even Bruce Schneier has been quoted as saying that people might as well write their passwords down, as without the context (ie username), a password by itself is not worth much. Other security mavens have stated that it is better to have a strong password for a year than a series of weaker passwords.

Why not take these and expand them into a simple (and inexpensive) two-factor authentication method? In this method, a random password would be generated and put onto a card. This random password will be half of the actual complete password. The second half (or first half) of the password will be something the client can easily remember. In order to log in, the client will need to type in the password part from the card in addition to their own password part to form the complete password.

The card, by itself, is useless and the client will be less likely to write down the first part of the password. The client will also not be able to log in without the card (unless they have a good memory), and if they lose the card, a new one can be quickly generated. The primary drawback to this system is that it is a little more labour-intensive, as the client must be present in order for the second part of the password to be entered. However, it is inexpensive and quite effective.

RSA and Authenex can't do it, at least not with a Token+PIN approach (like RSA's SecurID), such as you're describing. Vista throws a real monkey wrench into the equation (who would have guessed that? ). They can if you bring certificates into the picture.

If you know of a company or product that has solved Windows login and AD integration, please let me know.

Seems DTS has the function to solve Windows login. You can check.

Two-factor Authentication means (Personal Identification Number)PIN+USB TOKEN. OK..,the USB Token, hardware itself is inexpensive, just several dollars or more based on the security level. However, we need to consider what security technology the token application based on.

As I know, two-factor authentication is extended from PKI(Public Key Infrastructure) technology, which is to manage keys and certificates. So the user should pay for not only the token, but the certificates from (CA)Certificate Authority and the consultant charge about how to establish a system PKI based. That's quite a large amount. Generally, PKI is suitable for On-line Banking, Government, Public Utility, or enterprises gobally.

And what solution is more effective and safe. I think OTP(one time password) is another choice. The users need only to set the server and them distribute the token.

Of course, I also agree with Mike Mullins' opinion. This method is suitable for the web need lower security level protected. Thank you, Mike. You way actually can help me remeber the password for several month at least without the note. But Microsoft's ECE web asks me to change the password monthly and no letter and number repeated. Ahh...that's frequent for me. Maybe I need more training :o)

I tell my users that no dictionary words are allowed, even if broken up, unless mutated by numbers or special characters.

So sleep2nite wouldn't fly, but sl#ep2n1te would.

remembering the last "x" number of passwords?

or passwords again and again when the policy expires their current one! Keep "x" high.

how does that protect from hackers? In other words, why would it be insecure to allow the user to simply use two (complex) passwords and alternate between them monthly?

changing a password every 90 days or 180 days is no more secure than keeping the same password for a full year.

What happens when a user has to change their password? I'll tell you what happens, they change one letter or number so rather than leetspeak1 it becomes leetspeak2 - no more secure, and if the hacker already has the password and they go oh no the password has changed what are they going to try? Yup you guessed it the next number up the stack.

Hackers arn't stupid so I have no idea why so many users are forced to use "stupid" practices such as change your password every 90 or 180 days. It serves no purpose but to lessen security.

What's with this forced password change every 90 days or 180 days nonsense, most places I've worked stick with the Windows default of every 30 days.

As for hackers, surely most of them are going to be outside the organisation. Therefore when 3rd party vendors require remote access to your systems you only enable their accounts for the required period and immediately disable them when they're finished. For both remote workers and 3rd party vendors you can also employ RSA Secure ID tokens to validate their VPN access through the firewall. Firewall access can be further locked down by only permitting known IP addresses through.

As for internal attempts to gain access, one of the easiest ways to help prevent this is to invoke the policy to clear the username field at each logoff, this then needs to be manually entered every time, this also ensures that the user will remember their username (how many times have I had problems trying to reset a user's password because they've forgotten their username?!?)

How do you think you are increasing security by forcing users to change their passwords every 30 days?

I have posted my answer here:
securecyber.blogspot.com with better idea (I guess). I'd appreciate any comments.

See my post with a subject of phrases at 10:54. Like you I also use the concept of phrases but instead take some combination of letters from each word in the phrase. With this technique I never have a recognizable word in my password. I have used this technique to remember passwords up to 26 characters long.

Not sure if having recognizable words in a password that is 16 characters long is any less secure than having completely random characters but it makes me feel better not having any. I read somewhere where they showed that by combining a certain 3 word phrase could get you in trouble by actually generating a very recognizable word. The phrase was "to get her" which when combined became "together".

For very secure websites that I visit like banking I actually use Password Maker and have it generate a password for each site.

I agree with you on that. Another thing I want to mention is a fingerprint reader. I use one from Microsoft. It helps with 3 things:
1. Quick login to any web site that has a login prompt - just put your finger on a reader screen;
2. Possibly (?) prevents keystrokelogger from logging the keys you have pressed.
3. If you generate a complicated password, it is not necessary to memorize it (the best of the features)!

or the monitor in/output or both. I assume your reader is USB? Probably alright for now.

I hear that finger print readers are prone to false positives and negatives. Have you looked into this at all?

Bill

Microsoft USB reader were very encouraging. I didn't look to see what people thought of the reader keyboard.

When I was learning for my CISSP, I found that there is obviously a problem with a false positive/negative reading when wrong information is being accepted as the right one. To be fair, I have tested only the device that I use myself: Microsoft fingerpring reader (I also had another one that's combined with a wireless mouse but it went dead in two days). I asked several people to try to login to my web sites through the fingerprint reader and none of them was able to login. My other fingers did not log me in either. The only two fingers that were registered with a software made the trick.
The software creates a unique and garbled code of the password itself protected with (I believe) 256-bit encryption. You can open the file for each corresponding entry and recognize the web site name but the password is not readable (encrypted).
There are more comprehensive software versions to login to domains, but my reader aloows only logging into the web sites if you use the IE-compatible browser. It does not recognize Firefox, so far.