Why you shouldn't use OS passwords:

[Kenn]

http://weblogs.asp.net/robert_hensing/a ... 99610.aspx

Great read.

So Windows already supports this, when do you think the Phoenix BIOS in our Thinkpads will support 128-character passwords (or how about just non-character symbols as a start)?

[JHEM]

Kenn,

I did a minor edit on your post to better reflect the fact that it's about OS passwords, not Thinkpad (hardware) passwords.

Everybody should already have their Power-On and Supervisor passwords set! If the passwords aren't set, anyone with access to your Thinkpad for a minute or so can set them and effectively lock you out!

Regards,

James

[waterside]

It is pretty sad that a CISSP actually posted somthing like that

Password, Passphrase, whatever. The summary (which he does actually mention) is that longer lengths are needed to protect against brute-force attacks. What you call it doesn't matter - make it as long as you can.

Using "long" sequences has always been the recommendation for this very reason. Unfortunately, while a 42 character pass "phrase" (I don't care what you call it) may be "impossible" to brute-force with current technology we can't make the same assumption about two years from now. Nobody should be using sequences shorter than 8 characters anymore, but just how long is sufficient? How long will that minimum length be sufficient?

Sorry, but there's nothing new here despite the fact that this CISSP makes it seem like it is. I take a slightly different perspective and question why Micro$loth still ships products with legacy security models as the default, despite common knowledge that they are woefully inadequate. The default should be the most secure and force admins to reduce security where required. For typical home use, the only difference is new installs will force a longer and more complex sequence.

[waterside]

Kenn,
Everybody should already have their Power-On and Supervisor passwords set! If the passwords aren't set, anyone with access to your Thinkpad for a minute or so can set them and effectively lock you out!

Absolutely! This is often overlooked but it can (and does) happen.

BIOS passwords can be easily defeated but require the case be opened. Hard-Drive passwords can also be defeated, but there is a cost involved.

When security features are provided and so easy to enable they must be.

[Kenn]

Using "long" sequences has always been the recommendation for this very reason. Unfortunately, while a 42 character pass "phrase" (I don't care what you call it) may be "impossible" to brute-force with current technology we can't make the same assumption about two years from now. Nobody should be using sequences shorter than 8 characters anymore, but just how long is sufficient? How long will that minimum length be sufficient?

The counterargument to that is, what kind of security scheme can you build that is guaranteed to be unbreakable in x-years time, and why is it better NOT to use a scheme that is more-effective NOW, for the sole reason that it may no-longer be effective years later?

The author explicitly acknowledges your point about the future, and indeed says that standard passphrases can eventually be brute-forced with symantic attacks - using words and grammar structure for the dictionary. But security will always be game of cat and mouse, and because the vast majority of users use 4-8 character pa55w0rds and will likely do so for years to come, you'll be a big step ahead by using a passphrase that the current system already supports but no/few cracking routines currently employ (because for everyone with a 40-character passphrase, there are 10,000 people who use 4-8 digit pins)?

What you suggest almost sounds like, "Regardless of how effective a 40-character passphrase may be now, you should not change your already-insecure 9-character password because in 2 years, it's possible that the 40-character passphrase will no longer be secure."
(I know that's not your point, but from you've written above it's very easy to get that impression, which I want to clear up).

Another salient point is that you mention "nobody 'should' be using passwords shorter than 8 characters," but how closely is this followed in real life, and what are the increasing costs of people being more likely to forget longer, "more random" sequences? Also, how good is this >8 policy when passwords greater than 8 characters are already "broken" in terms of how prone they are to dictionary attacks in widespread use? The author simply states that using a phrase instead of a bizarre, but shorter string is an effective way to exceed the complexity of a strange-looking alphanumeric string against brute forcing, while at the same time making it easier for users to remember passwords; which in the end lowers the barriers to increasing security, by allowing longer passwords or more frequent changes. And even more importantly, support for it already exists in the last two versions of Windows, which few people know.

The last two corporate environments I've worked in still have a policy of requiring "passwords greater than 8 characters, which may not be dictionary words, and which much contain at least one numeric character for every 4 alpha characters, and one symbol," and they usually include examples such as "WH02&df1G." And they must be changed semi-monthly. Yeah...right. Just sounds like a great way to stick it to employees and the IT department at the same time. This commonplace policy is the kind he says passphrases would be better-suited for, and whatever qualms you have against defaults, it's not exactly Microsoft's fault that companies still recommend the prior method.

So in the end, he's not saying "Passphrases will solve all of our security concerns forever." He's saying "Everybody's door already has a deadbolt, but only 1% of people notice and use it. I'm reminding you that it's there, and that using it now will put you in a position better than 99% of everyone else out there."

[daeojkim]

I have been using password length that is more than 10 characters long for almost 10 years. Now it has gotten to 25 chracters long that includes special characters and numbers.

How do I remember? Well they are not random characters but they have a meaning and I can easily remember.

Also since I speak multiple languages I make passwords in Korean or Japanese but type it in English typting mode. That way it would be a random character that would not be present in neither English or Korean or Japanese dictionary.

Also another method is to use up or down method. So, when you have a password for letters enter characters that are to up and left or right key and for numbers down and left or right key. e.g. if the password is "thinkpadt43" the actual password would be 5y8hi0qe5re (up/left for letter and down/right for number). It seems totally like a randon character doesn't it? And it will most likely to ensure that you add numbers and letter combination.

[MadeInJapan]

Nice to have another Japanese speaking member among us! Great idea on the passwords by the way...I'll have to try that too!

[Kenn]

Both are very good methods, and I've used the foreign-language system myself with Pinyin

But don't forget, the key point of the message is to keep that password long, not (just random). It may not take appreciably longer (in the scheme of brute-forcing) to dictionary-attack "thinkpadt43" over "5y8hi0qe5re." For now, the safest method is to keep the password longer than 8-10!

I have been using password length that is more than 10 characters long for almost 10 years. Now it has gotten to 25 chracters long that includes special characters and numbers.

How do I remember? Well they are not random characters but they have a meaning and I can easily remember.

Also since I speak multiple languages I make passwords in Korean or Japanese but type it in English typting mode. That way it would be a random character that would not be present in neither English or Korean or Japanese dictionary.

Also another method is to use up or down method. So, when you have a password for letters enter characters that are to up and left or right key and for numbers down and left or right key. e.g. if the password is "thinkpadt43" the actual password would be 5y8hi0qe5re (up/left for letter and down/right for number). It seems totally like a randon character doesn't it? And it will most likely to ensure that you add numbers and letter combination.

[waterside]

Both are very good methods, and I've used the foreign-language system myself with Pinyin

Except that using a "foreign" language does not increase security nor make a passphrase any more valuable. A passphrase in any language is equivalent in the current times and it is in fact documented that language is no longer a relevant factor.

In 1988 I was already using multiple-language dictionaries with early versions of "crack". Using heavy iron (of the day) this could still take weeks using a relatively small ruleset but with a large composite dictionary. Today this takes a fraction of the time for a composite dictionary exponentially larger.

At last check, I was able to find dictionaries for over 80 languages rather easily for a total vocabulary of tens of millions of "words". At one time a method that provided sufficient complexity was a custom acronym from an uncommon phrase in a literary work. Today there are dictionaries with hundreds of thousands of these, though using the entire arbitrary phrase (with simple complexity added) might be more appropriate.

Length and complexity are key but using alternate languages does not increase complexity at all.

[waterside]

The counterargument to that is, what kind of security scheme can you build that is guaranteed to be unbreakable in x-years time, and why is it better NOT to use a scheme that is more-effective NOW, for the sole reason that it may no-longer be effective years later?

This is exactly why I didn't say it wasn't valid.

Any true CISSP would indicate that you should always use a passphrase as long as the technology permits with the most practical complexity. They would not give an actual length such as is given here.

What you suggest almost sounds like, "Regardless of how effective a 40-character passphrase may be now, you should not change your already-insecure 9-character password because in 2 years, it's possible that the 40-character passphrase will no longer be secure."

PLEASE do NOT put words in my mouth. I didn't even suggest this and you're just pulling this one out of the air.

On the contrary - I don't think you should consider a specific limit (as specified by this article) but rather you should always use the maximum available. Regardless of how long it may be it will always become obsolete but using the max will delay this and make it just a wee bit harder for the time being.

Another salient point is that you mention "nobody 'should' be using passwords shorter than 8 characters," but how closely is this followed in real life, and what are the increasing costs of people being more likely to forget longer, "more random" sequences?

It isn't followed in real life largely because short useless passwords are still accepted by default and there is absolutely no attempt on the part of the world's largest vendor of desktop "OS" (the quotes are intentional) to educate or guide the public. Rather, they choose to continue to distribute perhaps the world's least secure platform out-of-the-box despite its capability of being rather sufficient security-wise when configured properly. [these aren't my words, BTW, but that's all I'll say]

On top of that, a supposed CISSP that is actually an employee of this vendor is stating that you should always use something more secure. Which is it micro$loth? Wide-open (as distributed) or secure (as recommended)? This is in fact intentional and is a direct marketing directive. It makes the platform the most appealing to the largest audience but falsely gives an impression that micro$loth focuses on security.

The last two corporate environments I've worked in still have a policy of requiring "passwords greater than 8 characters, which may not be dictionary words, and which much contain at least one numeric character for every 4 alpha characters, and one symbol," and they usually include examples such as "WH02&df1G." And they must be changed semi-monthly. Yeah...right. Just sounds like a great way to stick it to employees and the IT department at the same time. This commonplace policy is the kind he says passphrases would be better-suited for, and whatever qualms you have against defaults, it's not exactly Microsoft's fault that companies still recommend the prior method.

I'm an engineer in a corporation with over 300,000 win* desktops and over 10,000 win* servers. Many companies haven't enabled or enforced longer passphrases for many reasons: product support; in-house engineering and in-house support; vendor-support (believe it or not there are issues with using long passphrases that even micro$loth has not yet addressed). On top of it, most financial corporations have found that depending entirely on micro$loth products does not sufficiently meet mandated (federal and other regulatory) security policies and it is the additional products that cause additional issues.

Without true vendor support for strong security progress will be very slow - THAT is my point. Until micro$loth really takes security seriously and becomes a driving force the world's primary desktop platform will always be insecure. When a vendor is still delivering a platform that will accept "hell0" as a valid password out-of-the-box nearly six years after support for more complexity was provided there's a problem.

[JaneL]

>the world's largest vendor of desktop "OS" (the quotes are intentional)
>

>Which is it micro$loth? Wide-open (as distributed) or secure (as >recommended)?
>

OK, now, ratchet down the rhetoric a notch please.

[Kenn]

Length and complexity are key but using alternate languages does not increase complexity at all.

This is all true, especially in the light of my previous post. But there's certainly no harm in typing in a foreign language, especially if a concern is someone trying to peep over your shoulder

[Kenn]

In essence, we're pretty much in agreement about the main point: with our current system, longer is better. I'll just address a few of the minor details.

PLEASE do NOT put words in my mouth. I didn't even suggest this and you're just pulling this one out of the air.

Sorry, I worded it very carefully as not to do that. My point is just that from your post, it's easy to misconstrue your argument - I'm not saying that using long sequences is a new idea, just that average users don't know there's an easy-to-remember way to reach that level of effectiveness without adopting some bizarre and nonintuitive leet-script. It's a psychology issue, more akin to "breaking set" than anything else, and it's one that corporate IT departments have also been slow to pick up on.

It isn't followed in real life largely because short useless passwords are still accepted by default and there is absolutely no attempt on the part of the world's largest vendor of desktop "OS" (the quotes are intentional) to educate or guide the public...

True, but I don't recall Apple or anyone else actively campaigning for passphrases over obscure >8-char alphanumeric strings either. In the end, regardless of our opinions of this developer or that, the problem isn't just in one person's backyard, from what I've seen it's in everybody's.

From what I can tell, the rest of the thread goes into this important, but ultimately tangential issue. I'll certainly give that if you work in an environment where your desktop networking domain does not support a character set complete or long enough to use as an effective passphrase, then yes, you're stuck, whoever's fault it is. But this wasn't the issue the article was trying to address.

The vast majority of users in corporate america and business in general log into standard Windows domains (or even workgroups) and have no technical barrier to using long passphrases to access their desktop and files. The only issue for them is knowledge - that IT departments continue to advocate alphanumeric strings of "at least 8 characters, + numbers, etc.," whereas simply letting people know that passphrases without arcane symbols and spellings can be orders of magnitude more secure by virtue of pure length, and easier to remember to boot, would have a huge impact on password security at that most-important user level.

I believe that couching the basic "longer is better" philosophy in a way that IT depts can get regular users to actually employ, and employ without increasing errors or trouble tickets, is the ultimate, and most useful point of the article.