Robert Hensing's Blog

Software Security . . . and stuff.


Why you shouldn't be using passwords of any kind on your Windows networks . . .

  • Comments 133
  • Likes

Edited 10/18/2004:
This blog has gained far more attention than I could have ever imagined when I decided to create a small personal blog devoted to security incident response.  I never imagined my first ever post would be as controversial or as widely published / linked as it has become!

Over the weekend links to this blog post were sent to W2KNews and full-disclosure and I'm getting inundated with questions / comments and requests for the spreadsheet I referred to in my original post.

Given the overwhelming feedback from the readers I have decided to work with the right people internally to get pass-phrases documented in more formal / authoritative guidance up on the Microsoft web site.  As we work to document this guidance I imagine that the spreadsheet I referred to in my original post will be made available as part of that future guidance for all to download.

For official Microsoft guidance on a much wider range of security topics than what you'll find here, you should visit the following url:

In addition, Jesper Johansson has published his first in a 3 part series on the topic of passwords vs. pass-phrases and I strongly encourage you all to give that a read.  Jesper was in fact the person who inspired me to consider pass-phrases and start using them and his column can be found here:

Here was my original post (with some minor technical bugs fixed. <G>):

So this is my first ever blog entry and seeing as how I'm a senior member of the PSS Security Incident Response team, you may think I've stopped taking my medication by opening with a title like the one above!  Medication issues notwithstanding, it's true - you should NOT be using passwords of any kind.  Why?  For starters, passwords are ridiculously easy to guess or crack.  Worms like Agobot / Phatbot / Polybot / SDBot / RBot (no I didn't write this one) all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they've cracked from other systems. 
As an example of what I'm talking about check out Symantec's write-up of this little nasty that we encounter on my team just about every day:

Worse still, attackers (either automated or human) don't even need to GUESS the password.  There are hacking tools a-plenty that will let a miscreant sniff your network traffic to scoop out authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password.  Sure you can protect the network with segmentation, encryption (IPSec etc.) and even 802.1x and I'm a big fan of all of these concepts, but really they just workaround an issue that you still need to address.  The inherent vulnerability in your network which is - the password.

Ignoring the network for a second, what happens if an attacker gains physical access to a machine on your network with elevated priv's?  Well they can dump all of the password hashes to a .txt file and then through the magic of pre-computation can 'look up' the password corresponding to that password hash in *seconds* and they can do this for all hashes they obtain.  Lots of 'security consultants' like to terrorize our customers by doing penetration tests, sniffing some network authentication exchanges, cracking the easily determined passwords, then gaining access to a DC, dumping out all of the password hashes and then cracking most if not all of those using rainbow tables and then using that as evidence you should switch to Linux! (bah!)
Pre-computation attacks are a somewhat new and interesting phenomenon we are starting to encounter 'in the wild' through chainsaw security consultants.  What they do is they pre-compute all of the possible LM or NT password hashes of a given length with a given character set and burn the pre-computed password-hash-to-password-mappings to DVD.  Heck they can even submit their request to have your password hash reversed back into a password using a web page someone has setup to do the job for you (sorry, not going to give out THAT URL here.) . . . for free!

So with all of these highly successful, highly effective attacks on passwords (dictionary attacks, brute-force attacks, pre-computation attacks) I've come to the conclusion that there is simply too much risk associated with passwords and that users of Windows should simply stop using them to avoid this risk.

Problem solved right?

Hopefully by now if your in the security business I've managed to get you foaming at the mouth lunatic crazy mad!  How irresponsible is it that I as an incident response specialist for Microsoft could be recommending to our customers and readers that you do NOT use passwords anymore.  As a CISSP I have to admit it does seem to be just cause for revoking my membership, but I of course used this ploy to get your attention and keep you reading. 

“Where is he going with this?“

So here's the deal - I don't want you to use passwords, I want you to use pass-PHRASES.  What is a pass-phrase you ask?
Let's take a look at some of my recent pass-phrases that I've used inside Microsoft for my 'password'.
“If we weren't all crazy we would go insane“ (Jimmy Buffet rules)
“Send the pain below!“ (I like Chevell too)
“Mean people suck!“ (it's true)

So why are these pass-phrases so great?
1.  They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don't HAVE to use numbers to meet password complexity requirements)
2.  They are so freaking easy for me to remember it's not even funny.  For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember 'xYaQxrz!' (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack).  That password would not survive sustained attack with LC5 long enough to matter so in my mind it's pointless to use a password like that.  You may as well just leave your password blank.
3.  I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).

Fact:  Did you know that Windows 2000 based operating systems support pass-PHRASES of up to 127 characters including spaces, and unicode characters like this --> ?
Fact:  Did you know that even the most effecient form of password cracking (pre-computation using Sarca rainbow tables) breaks down and becomes infeasible for most attackers at around 10 characters (I've seen the math to prove it) and at 14 characters or more Excel can't even display a number big enough to show how long it would take to pre-compute / look-up a 14 character password (so I'm assuming this would safely rule out dedicated government agencies with unlimitted hardware budgets <G>).

Now, looking at my first easy to remember (for me) pass-phrase listed above we see that it's 42 characters.  I could type that 3 times in a row as my password and still not exceed the buffer allocated for my password in Windows!  So . . . why is this password so great?

1.  It prevents the LM hash from being stored (LM password  hashes are stored by default on all of our operating systems, even WS2003 for backwards compatibility reasons).  The LM hash is no longer cryptographically secure and takes only seconds to crack with most tools.
2.  It's easy to remember - I don't have to write it down.
3.  Since it's 42 characters long it will never be found in a simple word-list and thus can't be guessed with even the largest dictionary files.
4.  Since it's 42 characters long, it's physically impossible to pre-compute the password hash -> password mappings and store them in any reasonably attainable amount of disk space / RAM (I can't even tell you how many petabytes it would be becuase Excel barfs when I try to make it tell me, it can't calculate a number that big <G>).
5.  Since it's 42 characters long it would take an extremely long time to brute-force that back into the original password using all possible number / letter / special character combinations (think of a pre-computation attack as a brute-force attack, only you save the results of all of the brute-force attempts to a database for use in future attacks).

Do you see a pattern here?  Pass-phrase LENGTH, not complexity defeats these attacks.  Short, but complex passwords should be shunned as they are not truly secure anymore and you are deceiving yourself if you think they are.  Long pass-phrases (14 characters or more) are the future (along with 2-factor or more authN, but that's another blog for another day) and are the only way to go if you want to ensure that you won't get hacked via any type of password based attack of any kind.

Given how easy it is to remember a sentence as opposed to random numbers and letters strung together and how much more safe it is - why are IT companies still using weak 10 character or less passWORDS that users can't remember and write down or forget which leads to password theft and helpdesk call volume?  Why aren't IT companies dictating 20 character password minimums (which all but forces you to use a pass-phrase) and educating users about Windows 2000 and later OS's 127 character password prowess?  Why aren't IT companies telling everyone, users and admins alike to use easy to remember sentences and phrases as passwords?

Simple - no one knows this stuff.  This is, unfortunately, one of Microsoft's best kept secrets (127 character password limit on Windows 2000 and later based OS's) and we've done very little to change the flawed mindset around short passwords.

(Amusing side-note - did you know that Windows 2000 was originally supposed to support 256 character passwords?  Apparently the design spec back in the day called for 256 characters to be supported and the developer dutifully allocated a 256 byte array . . . but they failed to realize that double-byte character sets would need to be supported for far-east languages thus effectively halving the length of the password since it takes 2 bytes to represent each character . . . doh!).

Well the secret is secret no more - the word is out!  Now go change your password policy and do it quickly . . . or you'll be opening a support incident with my team soon and I'll be telling you all of this on the phone after I figure out your password policy was easily subverted by an automated worm that copied itself to your server via your exposed admin shares.

Robert Hensing - Microsoft PSS Security Team
Personal PGP Key ID: 0x87CEA167
Personal PGP Key Fingerprint: 6533 4075 7E87 9D32 8A10 742D B120 7C68 87CE A167
Team PGP Key ID: 0xEB722C4BTeam PGP Key Fingerprint: 1781 923A 0405 8F6A 31B7 EEFD 9A13 6A28 EB72 2C4B

  • and every time i need to authenticate just type 42 characters?

  • Great article!

    So far i've been using Password Minder created by Keith Brown to keep all my passwords. It helps me generate password 75 chars long. But so far almost all of the e-commerce Web sites i use have a limit for passwords to about 8-10 characters.

    I just hope they'll all hear your call!

  • I type extremely fast (80wpm) so for me typing a 42 character sentence when I get challenged isn't all that hard or difficult. I realize not everyone would enjoy a pass-phrase that extreme - but how hard is it to type 'Mean people suck!'. That's much shorter and just as secure . . . My point is to get people to use 14 character or greater passwords by using pass-phrases instead. 42 character may seem like overkill . . . but then again I would freely give out my password hash to anyone who wanted it and challenge them to crack it with that pass-phrase. :)

    Finally - the only time I get challenged is when I logon to the domain - since we're in a domain I don't get challenged when connecting to shares or intranet sites - I auto-authenticate after I sign in.

  • (standing and clapping) great article..I cant wait to see what else you come up with. I immediately forwarded this onto my network services department :)

  • Nice ... I have a phrase now instead of a dumb (short) mess. I thought you were going to talk about smart cards ... nice to know we don't have to change infrastructure.

  • Yes, it is a very interesting article, something I will probably be implementing in the near future.

  • The entropy of the english language is around 2.1 bits/character. Assuming that a "random" string of upper/lower/numeric characters is compared with a passphrase, one would expect a "random" password to be as effective as a passphrase 3 times as long (assuming 6 bits/character in a random password). Of course, completely random passwords are even more of a pain than passphrases.

    I would suggest a lower limit of 20-25 characters on passphrases.

  • sounds great....except when your network admin makes you change the pass phrase every what phrase did I use this month... I better figure it out in 3 trys so I dont get locked out.

    I woudl really like to see thumb readers or somthing like that used more..

  • Um. Am i missing something? Say this catches on... say we get everyone working with Pass-PHRASES (as you like to say), then the blackhat community simply adapt their attacks using 'word' elements instead of letter elements for the 'password', and 6 months down the line we're more vunerable than ever before.
    These phrases are only equivalent to random passes if they continue using the same tactics... that simply isn't going to happen.
    Performing a brute-force attack using a language-dictionary (perhaps a rechristening of the term 'dictonary attack'? ha ha) would be quicker and easier than peforming the same attack on a 12 letter random password, as there are now only 4 or 5 elements to the pass-PHRASE that have to be guessed (even including case-sensitivity thats not much), which would surly REDUCE security - as thats equivalent to a random password of about length 4 or 5 (even taking into account the higher number of mathematical combinations possible with words, as the patterns produced aren't 100% random (as all language obeys rules) you're going to find you're back to roughly the number of combinations used with letters).
    The only effective and 99% secure method (which isnt exactly viable at this present moment) is face-recognition, combined with lip-sinked voice-signature recognition alongside a real-life spoken passphrase. Place this alongside a bluetooth-vicinity card or USB-smart card and you're getting pretty close to 100% secure.
    That's my take. What more can I say? I'm sticking with random passwords for now.