Go to the FreeLists Home Page Home Signup Help Login 		 



Browse networknewsletters: This Month's ArchiveMain Archive PageRelated postsPrevious by DateNext by Date

Security UPDATE--Mathematical Strength of Passphrases--November 3, 2004

  • From: Educational CyberPlayGround <admin@xxxxxxxxxxxxxxx>
  • To: NetworkNewsletters@xxxxxxxxxxxxx
  • Date: Tue, 09 Nov 2004 10:56:20 -0500
**************************************************************
-- Educational CyberPlayGround Community 
http://www.edu-cyberpg.com/
-- Network Newsletters Mailing List ©1994
http://www.edu-cyberpg.com/Community/NetworkNewsletters.html
-- Subscribe - Unsubscribe - Email Preferences
http://www.edu-cyberpg.com/Community/index.html
-- Advertise on Network Newsletters Mailing List
http://www.edu-cyberpg.com/Community/Subguidelines.html
****************************************************************************************************************************************
Education Vendor Directory - Advertise Your Services.
Helps educators make the most efficient use of your resources
Get your products or services noticed
through support of the Educational CyberPlayGround,
a clearinghouse of educational resources.
  <http://www.edu-cyberpg.com/Community/Subguidelines.html>
**************************************************************************


1. In Focus: Mathematical Strength of Passphrases

2. Security News and Features
    - Recent Security Vulnerabilities
    - News: New Security Risk Management Guide
    - Feature: Event Response

3. Security Matters Blog
    - Microsoft's Virtual Lab
    - Need Hands-on Time in a Cisco Lab?

4. Instant Poll

5. Security Toolkit
    - FAQ
    - Security Forum Featured Thread

6. New and Improved
    - SSL VPN for Multiplatform Clients

====================
**************************************************************************
ActiveServers, Inc ServerFarm, Co-Location, Point to Point Wireless,
Consulting, and Windows dotnet Servers. Premium Hosting Solutions
on multiple OC-48 redundant connections.
Visit http://activeservers.com
**************************************************************************
====================

==== 1. In Focus: Mathematical Strength of Passphrases ====
    by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about why passphrases might be a better idea than
passwords. In essence, passphrases are longer and stronger, easier to
remember, and more resistant to the assaults of many of the more
popular password crackers.

In previous editions of this newsletter, I've mentioned articles by
Jesper Johansson, Microsoft security program manager. Recently,
Johansson published part 2 of the three-part series "The Great
Debates: Pass Phrases vs. Passwords," which compares passphrases and
passwords. In part 1 (at the first URL below), Johansson covers the
fundamentals, including how passwords are stored. In part 2 (at the
second URL below), he looks at the strength of each approach, and in
part 3, due out later this month, if I understand correctly, he will
offer guidance on how to select stronger passwords and configure
password policy.
    
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx
    
http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx

Part 2 of the series is very interesting because Johansson offers
insight into why "longer is stronger" in many cases. Some
password-cracking tools attempt to precompute all possible hashes and
store them on disk in order to quicken computation time when trying to
crack a given password. Johannson points out that precomputing for LAN
Manager (LM) hashes is feasible because storing all possible hashes
for a 14-character password, for example, based on a 76-character set
(the number of characters on a standard American English keyboard when
you include lower- and uppercase letters, numbers, punctuation, and
special characters) would require about 310TB of storage. Granted,
that's a huge amount of data, but storing it is feasible given the
file systems available today. On the other hand, trying to store all
the possible NT hashes given the same 14-character password and
76-character set wouldn't be feasible because NT's hash algorithm
produces longer hashes that would require 5,652,897,009 exabytes (EB)
of storage, which according to Johannson, "exceeds the capacity of any
file system today." So you can see that using at least 14 characters
for passwords and NT hashes makes cracking take much longer than using
shorter passwords and LM hashes because all the possible NT hashes
can't be precomputed and stored to disk to save processing time.

If all the characters in a password are alphanumeric, and especially
if all the letters are the same case, then cracking doesn't take as
long as if some nonalphanumeric characters and mixed-case letters are
used. As you might know, cracking programs check first for common
words using techniques such as dictionary attacks. And if you use only
upper- or lowercase letters, the alphanumeric characters add up to
only 26 letters and 10 digits, or 36 characters. But if you use the
entire set of 76 characters, you greatly increase password strength
because you increase the amount of time required to crack your
passwords.

Essentially, the strength of a password (or passphrase) is a function
of the size of the character set, the number and randomness of
characters used from that set, and the computing power of the platform
used to attempt to break the password. Because you can't precisely
determine which platform crackers might have at their disposal, you
could assume the worst-case scenario--that they have the power of a
distributed computing network and massive amounts of storage and will
therefore be able to crack your password much more quickly than if
they worked alone or with a few associates. That means you should
consider using password policies that defend against such threats as
much as possible by requiring passwords longer than 14 characters,
requiring some nonalphanumeric characters, defending your network at
all levels against sniffing, and so on.

If you're interested in more information about password strength or
need some logical reasoning to justify new password policies for your
network, be sure to read Johannson's articles. He goes into a lot of
detail (which isn't over the head of a typical network administrator)
and offers several anecdotes and cases studies that I think you'll
find interesting. Also, please take a moment to visit our Security Hot
Topic Web page and answer our latest Instant Poll question: "What
password length do you enforce on your network?" I'm interested to
know whether you agree that longer passwords are stronger passwords.

On another note, we're happy to announce the IT Prolympics--a contest
designed to recognize the most proficient Active Directory (AD)
experts in the nation. The gold medal winner will get an
all-expenses-paid trip to TechEd 2005. Plus, we'll feature photos and
test scores of gold, silver, and bronze winners in the January issue
of Windows IT Pro magazine. Learn more about IT Prolympics and enter
here:
    http://www.windowsitpro.com/itprolympics

====================
====================

==== 2. Security News and Features ====

Recent Security Vulnerabilities
    If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries
at
    http://www.windowsitpro.com/departments/departmentid/752/752.html

News: New Security Risk Management Guide
    Microsoft has published a new Security Risk Management Guide that
helps people "plan, build, and maintain a successful security risk
management program." The new guide is available for free on the
company's TechNet Web site.
    http://www.winnetmag.com/Article/ArticleID/44356/44356.html

Feature: Event Response
    Windows event logs are a crucial source of information for Windows
IT pros. They can warn you of impending problems and alert you to
security incidents--but only if you keep on top of them so that you
can react to problems quickly. Unfortunately, that's easier said than
done. Randy Franklin Smith reviews three tools that monitor event logs
and send you alerts.
    http://www.winnetmag.com/Article/ArticleID/44093/44093.html

====================

==== 3. Security Matters Blog ====
    by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Microsoft's Virtual Lab
    Did you know that Microsoft has a virtual lab? I recently learned
about the TechNet Virtual Lab, which lets people test the company's
latest software in a sandbox environment.
    http://www.winnetmag.com/Article/ArticleID/44374/44374.html

Need Hands-on Time in a Cisco Lab?
    The folks over at the Firewall.cx Web site have announced they are
providing a "free fully equipped lab" with Cisco hardware.
    http://www.winnetmag.com/Article/ArticleID/44312/44312.html

==== 4. Instant Poll ====

Results of Previous Poll:
Do you use Mac OS X on your network?
    The voting has closed in this Windows IT Pro Security Hot Topic
nonscientific Instant Poll. Here are the results from the 46 votes.
    - 33% Yes
    - 7% No, but we intend to
    - 61% No
    - 0% I'm not sure
(Deviations from 100 percent are due to rounding.)

New Instant Poll:
What password length do you enforce on your network?
    Go to the Security Hot Topic and submit your vote for
    - 14 or fewer characters
    - 15 to 24 characters
    - 25 to 34 characters
    - 35 to 44 characters
    - 45 or more characters
    http://www.windowsitpro.com/windowssecurity#poll

==== 5. Security Toolkit ====

FAQ
    by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Does Microsoft provide a tool to help you determine the meanings of
error codes?

Find the answer at
    http://www.winnetmag.com/Article/ArticleID/44330/44330.html

Security Forum Featured Thread
    A forum participant has a computer with a file named *yhukyp.exe
that runs at boot up. The file is hidden in the All Users startup
directory. When he deletes the file, it's copied back from somewhere
else. He's looked in the registry under Run and RunOnce and at the
system.ini and win.ini files. He wonders whether anyone knows of a
guide that might describe where to find the program on the system.
Join the discussion at
    http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=127136

====================

==== Events Central ====
    (A complete Web and live events directory brought to you by Windows
IT Pro at http://www.windowsitpro.com/events )

Securing Your Organization's Messaging Traffic
    In this free Web seminar, security expert Randy Franklin Smith will
take a high-level look at the current security trends in the industry,
the emerging threats, and the threats that have become passe. Plus,
you'll learn about the commonly held misconceptions about security
patches and which kinds of attacks companies are reporting in
increased numbers. Register now!
    http://list.windowsitpro.com/cgi-bin3/DM/y/eiAL0MfYqv0Kma0BMdP0Au

====================

====================

==== Contact Us ====

About the newsletter -- letters@xxxxxxxxxxxxxxxx
About technical questions -- http://www.windowsitpro.com/forums
About product news -- products@xxxxxxxxxxxxxxxx
About your subscription -- windowsitproupdate@xxxxxxxxxxxxxxxx
About sponsoring Security UPDATE -- emedia_opps@xxxxxxxxxxxxxxxx

====================

This email newsletter is brought to you by Security Administrator, the
leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for internal
users. Subscribe today.
    http://www.secadministrator.com/rd.cfm?code=00ep254xeb

View the Windows IT Pro privacy policy at
    http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/


<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>
EDUCATIONAL CYBERPLAYGROUND 
http://www.edu-cyberpg.com

Net Happenings, K12 Newsletters, Network Newsletters
http://www.edu-cyberpg.com/Community/index.html

FREE EDUCATION VENDOR DIRECTORY LISTING
http://www.edu-cyberpg.com/Directory/default.asp

HOT LIST OF SCHOOLS ONLINE
http://www.edu-cyberpg.com/Schools/default.asp

Educational CyberPlayGround Services
http://www.edu-cyberpg.com/PS/Home_Products.html
<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>~~~~~<>

Other related posts:

  • Security UPDATE--Mathematical Strength of Passphrases--November 3, 2004




    • [ Home | Signup | Help | Login | Archives | Lists ]

    All trademarks and copyrights within the FreeLists archives are owned by their respective owners.
    Everything else ©2008 Avenir Technologies, LLC.