In a previous blog post I talked about account lockout tools... and quite rightly it was pointed out by Drew that one potential drawback is that people can us the lockout feature as a denial of service (DoS) attack. When you decide on your password policies, part of the job is to weigh up the pros and cons about the various features (complex passwords, account lockouts, expiring passwords etc) and work out what is best for you.
Bill Gates was recently stated at the IT Forum conference in Copenhagen as saying that Smart cards and 64-bit computing are the future of IT (an article can be found here). Does this mean that the password is dead?
Drew's point brings up the question of how complex should you make your passwords, so that if you are not using account lockouts, what can you do to help prevent people from brute forcing your passwords. One suggestion is the use of pass phrases. For those of you that aren't familiar with pass phrases, the main differences between a pass word and phrase are the length (the pass phrases tend to be much longer) and that phrases often contain spaces. For example:
A password might be; P@ssw0rd!
A passphrase might be; This is a long and complex pass phrase
The brute force tools tend to struggle with longer passwords. More characters mean more possible combinations.Be aware that some tools are database driven and may contain specific combinations of words and characters so using the phrase 'this is my password' or the golden oldy 'let me in' might not be such a good idea.. You may laught but over the years I have come across many such examples of 'clever' passwords that have merrily (and quickly) fallen foul of the brute force tools.
I found a really useful set of articles I suggest you read in the security section of TechNet by Jesper M. Johansson, Ph.D., ISSAP, CISSP Security Program Manager, Microsoft Corporation:
The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3
The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3
The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3
Otherwise, I would really like to find out from you ho much you know about what is available on TechNet. Many people I speak to just do not know that articles like this and even the TechNet Flash and Security newsletters are available. In fact I will do a blog posting on it now!
Good article - it's amazing how few people use or have even heard of PASSPHRASES!
Smartcards are indeed to future! I already had customers where you can only login with smartcards. Problem with smartcards is that they can become faulty. So this is not really an option for home use.
Smart card are very usefull.. and having your privatekey with you in your wallet is also very handy at times.
I have one super duper secret password. Nobody knows it and I only use this passwords for certain data and where I know that the environment is secure. Then I have a regular password and regular password with extension for password cycles. At home I use Passwordsafe for webpassword.
I think I even am one of the few home users that has alot of data stored encrypted. My regular password is stored at home on paper. If I die.. then people can still access my files except for my super duper safe pasword.. I will definitely take this with me into my grave. I sure hope so that I won't suffer from dementia when I get older :-)
There is a flaw with smart cards (at least my understanding of them) is that they can be stolen. A password (phrase) that is not written down cannot be stolen without something extreme like torture.
Well, there is no perfect solution at all in this world on anything even though someone is always looking for it. It is just like another "You can't have fish and bear palm at one time" (chinese slang).
Everything you need to balance. For most of cases, password lock out is still working to those organizations that don't have that much chance to get this DoS attack, but for others, not using it may be better. If that happens the only way to still make sure you are secure seems to be giving more complex password or pass phrase.
By the way, pass phrase is really a good idea to enhance the power of password. However, you need to balance it as well. Not everyone can type such long characters into the password fields.
Another big point to your comment about the use of pass phrases is that some (mainly legacy) systems are very limited in the number of characters you can use: Windows 95 is limited to 14 chars for example.
Keep it coming.
Robert Hensing had a couple of blogposts about passphrases, too. Hope it's ok to post links to those in my comment.
Brant: One of the beauties of smartcards is that they can offer 2 factor auth. They rely on something you have (the physical card) and often also on something you know (your PIN). If someone steals my smartcard for work it means they also stole the cardkey that gets me into the buildings on campus and my bus pass which would upset me a little, but the card alone won't get anyone into my account so I don't have to worry about the thief leaking Windows source code or internal email to the world. The thief would have to steal my smartcard and then still need to torture me to whatever extreme necessary. That would upset me even more than losing my bus pass.