Post reply

What's a strong password .. really ?

  • May 20, 2009 at 7:07 am

    #997565

    The reason for the 14-character password in Windows things comes down to the old LanManager password hashes Microsoft used to use, which would split the password into two 7-character chunks and hash them separately. It was a lot easier to crack each 7-character chunk independently than to do the whole 14-character one!

    Modern Windows tends to keep these old hashes for backwards compatibility reasons, but if you choose a password longer than 14 characters, it doesn't calculate the LM hash properly and so there's no risk of someone brute-forcing even part of your password.

  • May 20, 2009 at 7:34 am

    #997585

    Paul - thanks for that. I had a feeling it was something Windowy and technical - I was just trying to get "more than 14 characters" into my head.

  • May 20, 2009 at 7:39 am

    #997588

    paul.knibbs (5/20/2009)

    The reason for the 14-character password in Windows things comes down to the old LanManager password hashes Microsoft used to use, which would split the password into two 7-character chunks and hash them separately. It was a lot easier to crack each 7-character chunk independently than to do the whole 14-character one!.

    Thanks Paul, thats interesting and useful to know.

    paul.knibbs (5/20/2009)

    Modern Windows tends to keep these old hashes for backwards compatibility reasons, but if you choose a password longer than 14 characters, it doesn't calculate the LM hash properly and so there's no risk of someone brute-forcing even part of your password.

    So this is still true in current versions then, including Windows Server?

    Tim

    .

  • May 20, 2009 at 7:43 am

    #997590

    While all these accounts are good for user passwords, you may want to consider a truly random and long password for service accounts and 'sa'. Anytime we install a new instance, we generate a long random 'sa' password and lock it in a secure file/location.

    Gaby
    ________________________________________________________________
    "In theory, theory and practice are the same. In practice, they are not."
    - Albert Einstein

  • May 20, 2009 at 7:44 am

    #997591

    So this is still true in current versions then, including Windows Server?

    Tim

    By default, it is in 2000 and 2003. Not sure about 2008:

    http://support.microsoft.com/kb/299656

  • May 20, 2009 at 7:49 am

    #997598

    Tim Walker (5/20/2009)

    RBarryYoung (5/19/2009)

    What's a strong password .. really ?

    "Rumpelstiltskin". Definitely. 😀

    That made me chortle, we clearly have similar senses of humour (or some might say lack of it!) 😛

    Tim

    In my more mischievous youth (university), I cracked two email passwords of some friends. One was a former U.S. marine, and on a lark, I typed in 'oorah', their (un?)official yell. I got in. Sometimes it's just that easy.

    Gaby
    ________________________________________________________________
    "In theory, theory and practice are the same. In practice, they are not."
    - Albert Einstein

  • May 20, 2009 at 7:56 am

    #997606

    Gaby Abed (5/20/2009)

    Anytime we install a new instance, we generate a long random 'sa' password and lock it in a secure file/location.

    You mean 'sa' should have a password.....?

    :hehe:

  • May 20, 2009 at 8:02 am

    #997609

    Ten Windows Password Myths

    http://www.securityfocus.com/infocus/1554

  • May 20, 2009 at 8:07 am

    #997614

    Nice link! I learned a few things.

    Follow me on Twitter: http://www.twitter.com/way0utwest
    Forum Etiquette: How to post data/code on a forum to get the best help
    My Blog: www.voiceofthedba.com

  • May 20, 2009 at 8:11 am

    #997617

    Michael Valentine Jones (5/20/2009)

    Ten Windows Password Myths

    http://www.securityfocus.com/infocus/1554

    Thanks Michael, there are a few nuggets in there...

    Tim

    .

  • May 20, 2009 at 8:26 am

    #997628

    Ewan Hampson (5/20/2009)

    ... He also said that at conferences - even at IT security conferences - people often leave their laptops unattended long enough for their login passwords to be hacked by this method (and we didn't get more details - probably just as well).

    I think that you should take this with a grain of salt. The real threat to a laptop that is unattended for a few minutes isn't that some sophisticated hacker will jump on it and manage to crack your password, it's that anyone with two legs and a lack of ethics will pick it up and walk away.

    [font="Times New Roman"]-- RBarryYoung[/font], [font="Times New Roman"] (302)375-0451[/font] blog: MovingSQL.com, Twitter: @RBarryYoung[font="Arial Black"]
    Proactive Performance Solutions, Inc.     [/font]    [font="Verdana"] "Performance is our middle name."[/font]

  • May 20, 2009 at 8:36 am

    #997643

    Gaby Abed (5/20/2009)

    In my more mischievous youth (university), I cracked two email passwords of some friends. One was a former U.S. marine, and on a lark, I typed in 'oorah', their (un?)official yell. I got in. Sometimes it's just that easy.

    I did a project a while back for a mineral exploration company. Big boss there asked me to try and crack passwords, see how secure they were (sensitive data)

    I found three people with the password 'geology'

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

  • May 20, 2009 at 8:51 am

    #997656

    RBarryYoung (5/20/2009)

    Ewan Hampson (5/20/2009)

    ... He also said that at conferences - even at IT security conferences - people often leave their laptops unattended long enough for their login passwords to be hacked by this method (and we didn't get more details - probably just as well).

    I think that you should take this with a grain of salt. The real threat to a laptop that is unattended for a few minutes isn't that some sophisticated hacker will jump on it and manage to crack your password, it's that anyone with two legs and a lack of ethics will pick it up and walk away.

    True. And he didn't say he'd done it, just that the window of opportunity was there. Though there might be more commercial gain in determining the password for later use, leaving the laptop as it was, and tiptoeing quietly away.

  • May 20, 2009 at 8:58 am

    #997664

    You're right about the weakest link being the human. An eminently forgettable password is no use.

    My favorite mnemonic method is to take a quote, e.g. "To be or not to be, That is the question."

    With a few obvious substitutions, this converts naturally to the following inscrutable password:

    "2bon2b,Titq."

    (That is not my password, BTW!).

    When a password expires, I either pick another sentence or tweak some of the special characters.

    On the topic of raising awareness of the importance of password strength, I heard of a place where the sysadmin regularly ran a password cracking program. Those people with passwords which he couldn't break got an honorable mention!

    Mark Dalley

  • May 20, 2009 at 1:03 pm

    #997839

    The way I like to make a password is to combine first and last names.

    John Smith becomes sJmoihtnh. Capitalize, as needed.

    Can be hard to remember, but is easy to refigure.

Viewing 15 posts - 16 through 30 (of 37 total)

You must be logged in to reply to this topic. Login to reply