通过

Is the password dead?

  • 项目

In a previous blog post I talked about account lockout tools... and quite rightly it was pointed out by Drew that one potential drawback is that people can us the lockout feature as a denial of service (DoS) attack. When you decide on your password policies, part of the job is to weigh up the pros and cons about the various features (complex passwords, account lockouts, expiring passwords etc) and work out what is best for you.

Bill Gates was recently stated at the IT Forum conference in Copenhagen as saying that Smart cards and 64-bit computing are the future of IT (an article can be found here). Does this mean that the password is dead?

Drew's point brings up the question of how complex should you make your passwords, so that if you are not using account lockouts, what can you do to help prevent people from brute forcing your passwords. One suggestion is the use of pass phrases. For those of you that aren't familiar with pass phrases, the main differences between a pass word and phrase are the length (the pass phrases tend to be much longer) and that phrases often contain spaces. For example:

A password might be; P@ssw0rd!

A passphrase might be; This is a long and complex pass phrase

The brute force tools tend to struggle with longer passwords. More characters mean more possible combinations.Be aware that some tools are database driven and may contain specific combinations of words and characters so using the phrase 'this is my password' or the golden oldy 'let me in' might not be such a good idea.. You may laught but over the years I have come across many such examples of 'clever' passwords that have merrily (and quickly) fallen foul of the brute force tools.

I found a really useful set of articles I suggest you read in the security section of TechNet by Jesper M. Johansson, Ph.D., ISSAP, CISSP Security Program Manager,  Microsoft Corporation:

The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3

The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3

The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3

Otherwise, I would really like to find out from you ho much you know about what is available on TechNet. Many people I speak to just do not know that articles like this and even the TechNet Flash and Security newsletters are available. In fact I will do a blog posting on it now!

Enjoy!

Comments

  • Anonymous
    January 01, 2003
    Steve Lamb
  • Anonymous
    December 30, 2004
    Good article - it's amazing how few people use or have even heard of PASSPHRASES!
  • Anonymous
    December 30, 2004
    The comment has been removed
  • Anonymous
    December 30, 2004
    The comment has been removed
  • Anonymous
    December 30, 2004
    Well, there is no perfect solution at all in this world on anything even though someone is always looking for it. It is just like another "You can't have fish and bear palm at one time" (chinese slang).

    Everything you need to balance. For most of cases, password lock out is still working to those organizations that don't have that much chance to get this DoS attack, but for others, not using it may be better. If that happens the only way to still make sure you are secure seems to be giving more complex password or pass phrase.

    By the way, pass phrase is really a good idea to enhance the power of password. However, you need to balance it as well. Not everyone can type such long characters into the password fields.
  • Anonymous
    December 30, 2004
    Kent,

    Another big point to your comment about the use of pass phrases is that some (mainly legacy) systems are very limited in the number of characters you can use: Windows 95 is limited to 14 chars for example.

    Keep it coming.

    Bruce
  • Anonymous
    December 30, 2004
    The comment has been removed