|
[networknewsletters]
||
[Date Prev]
[10-2004 Date Index]
[Date Next]
||
[Thread Prev]
[10-2004 Thread Index]
[Thread Next]
Security UPDATE--Passphrases vs. Passwords--October 27, 2004
- From: Educational CyberPlayGround <admin@xxxxxxxxxxxxxxx>
- To: NetworkNewsletters@xxxxxxxxxxxxx
- Date: Thu, 28 Oct 2004 12:19:13 -0400
**************************************************************
Educational CyberPlayGround Community [ECP]
http://www.edu-cyberpg.com/
Subscribe - Unsubscribe - Email Preferences
http://www.edu-cyberpg.com/Community/index.html
Network Newsletters Mailing List ©1994
<http://www.edu-cyberpg.com/Community/NetworkNewsletters.html>
Find out how to Advertise on K12 Newsletters Mailing List
<http://www.edu-cyberpg.com/Community/Subguidelines.html>
**************************************************************
Date: Thu, 28 Oct 2004 03:30:34 -0500 (CDT)
Subject: Security UPDATE--Passphrases vs. Passwords--October 27, 2004
*********************************************************************
APPLICATIONS AND TUTORIALS
Orientation programming, Mac, ASP, COLD FUSION, (D)HTML,
CCS, JAVASCRIPT, PERL, CGI, PHP, SQL, VB, XML
http://www.edu-cyberpg.com/Technology/apps.html
*********************************************************************
====================
1. In Focus: Passphrases vs. Passwords
2. Security News and Features
- Recent Security Vulnerabilities
- Using WMI Filters with GPOs
- Windows XP Pro x64 Data Protection Features
3. Security Matters Blog
- Malware for Macs
- MSDN Magazine: Coding Your Way to Better Security
4. Security Toolkit
- FAQ
- Security Forum Featured Thread
5. New and Improved
- Lock Out Unwanted USB and Other Devices
- Help Users Self-Manage Passwords
==== 1. In Focus: Passphrases vs. Passwords ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
For a long time, people have argued the need for longer and more
complex passwords. The idea behind the argument is that short, simple
passwords are far easier to crack than long, complex passwords. Some
people even prefer randomly generated passwords, which can be even
more difficult to crack because they typically aren't based on some
alteration of a known word in a given language.
You might already know that Windows 2000 and later allow for a maximum
password length of 127 characters. The allowed characters include
punctuation, special characters, and even Unicode characters. The
reason for the 127-character limit is that the password character
array is a set of 256 bytes. Because Unicode characters require two
bytes to represent one character, the maximum number of characters
that can be stored in the array is 127, or half the size of the array
itself.
The ability to use 127 characters allows far more complex passwords or
passphrases than many of us use. I suppose the only real difference
between a password and a passphrase is that a passphrase is a series
of words with a space between them, and passphrases might tend to be
longer than passwords.
Some of you might know of Robert Hensing, who works as a member of
Microsoft's Security Incident Response Team. Hensing has a blog
(syndicated at the first URL below, unsyndicated at the second URL
below), and back in July, he wrote an interesting blog article (at the
third URL below) that argues for the use of passphrases instead of
passwords.
http://weblogs.asp.net/robert_hensing/Rss.aspx
http://weblogs.asp.net/robert_hensing/
http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx
In his article, Hensing explains why he thinks longer passphrases are
superior. Essentially, it's because they take longer to crack. One can
precompute a huge set of possible password hashes, then use these to
minimize the time necessary to crack a given password. So shorter,
single-word passwords are less secure because people can crack them
really fast with precomputed hashes and other password-cracking tools.
But the hashes of longer passphrases that include a series of words or
random character combinations are far more difficult to crack because
they require far more time. One premise behind password security is
that a password should probably have a life span that's shorter than
the time necessary to crack it. That way, the password will have been
changed to something else before someone can crack it.
Granted, an entity that really wants to know your password can use
certain methods, such as distributed computing and super-fast
computers, to crack it much faster than the average intruder could, no
matter the length. But most intruders probably aren't capable of
attaining such resources, so passphrases and short passphrase life
spans could keep a large percentage of intruders completely at bay.
Thus, they're worth considering.
To enforce the use of passphrases, you can establish policies that
require a certain minimum number of characters. For example, if you
require at least two dozen characters in a password, your computer
users might be inclined to think of a phrase, which is of course
easier to remember than a long string of characters. If you're
interested in the concept, read Hensing's blog article and consider
the comments from various readers.
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries
at
http://www.windowsitpro.com/departments/departmentid/752/752.html
Using WMI Filters with GPOs
Most IT pros are familiar with the two most common methods for
applying Group Policy: directly on the container (e.g., site, domain,
organizational unit--OU, local object) and indirectly through security
permission restrictions. In Windows Server 2003, Microsoft added
Windows Management Instrumentation (WMI)-filtering capabilities to let
you further hone the scope of a Group Policy Object (GPO). WMI filters
let you apply a GPO to only certain members of a container that
satisfy the criteria that the filter specifies. Jeff Fellinge explains
how WMI works in this article on our Web site.
http://www.winnetmag.com/Article/ArticleID/44066/44066.html
Windows XP Pro x64 Data Protection Features
Due in the first half of 2005, Windows XP Professional x64 Edition
will include virtually all the features from the 32-bit Windows XP
Professional except for the 16-bit subsystem that enables DOS
application compatibility and various legacy protocols such as Apple
Computer's AppleTalk and NetBEUI. In this article, Paul Thurrott takes
a look at the data-protection features in XP Pro x64.
http://www.winnetmag.com/Article/ArticleID/44134/44134.html
==== 3. Security Matters Blog ====
by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters
Check out these recent entries in the Security Matters blog:
Malware for Macs
If you use Macintosh systems on your Windows networks, be aware
that a group of people have been developing a "rootkit" for Mac OS X.
The kit performs a variety of actions you might want to try to
prevent.
http://www.winnetmag.com/Article/ArticleID/44311/44311.html
MSDN Magazine: Coding Your Way to Better Security
The new issue of MSDN Magazine has been released. This month's
content focuses almost entirely on security concerns as they pertain
to developers.
http://www.winnetmag.com/Article/ArticleID/44274/44274.html
==== 4. Security Toolkit ====
FAQ
by John Savill, http://www.windowsitpro.com/windowsnt20002003faq
Q: How do I set a domain to interim mode?
Find the answer at
http://www.winnetmag.com/Article/ArticleID/44199/44199.html
Security Forum Featured Thread
A forum participant has a problem when moving files and folders
from an area that has write access to an area on the same shared drive
that has read-only access. The files and folders are maintaining their
original write permissions even though they were moved to a read-only
area. He wants to know how he can make sure that the moved files and
folders have read-only access. Join the discussion at
http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=126705
==== 5. New and Improved ====
by Renee Munshi, products@xxxxxxxxxxxxxxxx
Lock Out Unwanted USB and Other Devices
SmartLine offers DeviceLock 5.62, which controls which users or
groups can access USB and FireWire devices, Wi-Fi and Bluetooth
devices, CD-ROMs, floppy disks, and other removable devices. You can
control access to devices depending on the time of day and day of the
week and create a white list of USB devices that won't be locked
regardless of any other settings. New in DeviceLock 5.62, you can use
Group Policy to install the DeviceLock Service on target computers in
an Active Directory (AD) domain. DeviceLock runs on Windows
2003/XP/2000/NT 4.0 computers. A single license is $35, and discounts
are available for multiple licenses. For more information, go to
http://www.protect-me.com
Help Users Self-Manage Passwords
ANIXIS has released ANIXIS Password Reset 1.1, which lets users
reset their own passwords without having to contact the Help desk or a
network administrator. Users who've forgotten their passwords can use
a standard Web browser to access Password Reset, which asks them to
answer questions about themselves. Password Reset doesn't store the
users' passwords or the answers to their password-verification
questions; it stores the hashes of these answers. Password Reset uses
the RSA and AES (Rijndael) encryption algorithms and runs on Windows
Server 2003/2000/NT 4.0. Multi-user and enterprise-level licenses are
available, with prices beginning at $360 for a 50-user license. You
can download a free, fully functional evaluation version from
http://www.anixis.com
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot@xxxxxxxxxxxxxxxxx
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin@xxxxxxxxxxxxxxxxx If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.
==== Contact Us ====
About the newsletter -- letters@xxxxxxxxxxxxxxxx
About technical questions -- http://www.windowsitpro.com/forums
About product news -- products@xxxxxxxxxxxxxxxx
About your subscription -- windowsitproupdate@xxxxxxxxxxxxxxxx
About sponsoring Security UPDATE -- emedia_opps@xxxxxxxxxxxxxxxx
====================
This email newsletter is brought to you by Security Administrator, the
leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for internal
users. Subscribe today.
http://www.secadministrator.com/rd.cfm?code=00ep254xeb
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2004, Penton Media, Inc. All rights reserved.
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
EDUCATIONAL CYBERPLAYGROUND
http://www.edu-cyberpg.com
Net Happenings, K12 Newsletters, Network Newsletters
http://www.edu-cyberpg.com/Community/index.html
FREE EDUCATION VENDOR DIRECTORY LISTING
http://www.edu-cyberpg.com/Directory/default.asp
HOT LIST OF SCHOOLS ONLINE
http://www.edu-cyberpg.com/Schools/default.asp
Educational CyberPlayGround Services
http://www.edu-cyberpg.com/PS/Home_Products.html
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
|
|
