So yesterday Jesper posted his final installment in his 3 part series in passwords vs. pass-phrases and while I had some issues with some of the assumptions he used to draw conclusions in his 2nd installment, I have no such issues with the conclusions he draws in the 3rd installment - it's all good and I agree with everything he says so go read it!
Here's the landing page you should bookmark to find future articles by Jesper: http://www.microsoft.com/technet/security/secnews/newsletter.htm
Here's the URL to the latest installment itself: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx
The key take-aways from his article are:
Jesper even goes into how to use Group Policy to enforce your password policy, some of the limitations inherent in Windows when it comes to enforcing password policy and how to work around those limitations (custom password filter).
The article concludes with a topic I've actually been meaning to blog about and I passionately agree with him here too: Account lockouts are evil and I personally would never recommend they be used (IF you have a good enough password policy). Think about it: What are account lockouts used for really? They are used to protect weak passwords! So if you fix the weak password problem, you don't really need account lockouts right? I'll gladly let any hacker in the world pound away against my password - he's not going to guess it in the 70 days that it's used for. We don't use account lockouts here at Microsoft but we do have ways of monitoring for excessive authentication attempts so that we can tell when accounts are being attacked. (People tend to use account lockouts as a poor-man's IDS but often don't realize the hidden costs of account lockout until after they've been hit by a worm that locks out all the accounts in the domain repeatedly, in a loop).
I'd like to conclude this post with some advice that I feel will help ensure you choose strong pass-phrases so that as people start using pass-phrases they don't end up using weak ones thinking they are better than 9 character random passwords. This is important because it's just as easy to create a weak pass-phrase as it is a weak password. For example 'Password;1' is technically a 'strong' password in terms of 'complexity requirements' (it meets all of them, I could even use this as a password here at Microsoft) but it's actually very weak and cracks almost instantly in LC5 in hybrid crack mode (where it uses dictionary words and then random character combinations tagged on at the end in a brute-force style attack for each word in the dictionary). The same could be done with pass-phrases. For example I'm pretty sure this is a weak pass-phrase 'This is my password' and would not recommend using this combination of words as your pass-phrase. With that said, here are some things that can help create stronger pass-phrases.
I leave you with a parting thought that also just so happens to make a great pass-phrase (I think). :)
"But I can only show you the door, you're the one that has to walk through it" - Morpheus, The Matrix (78 characters with quotes and spaces . . . mmmmmmm entropy)
Great post Rob. I love the idea of using famous quotes. Nothing like learning something while being secure at the same time. I, like most I'm sure, have been using pass phrases since your first post about them. Love 'em. Plus, I love watching the expression on people's faces when they watch me type them in (and they're longer than the textbox provided) :)
I confess, I haven't read the articles :-) but isn't using a pass phrase from your personal interests (Einstein quotes and the like) a weakness in itself? I guess how much of a weakness it is depends how many quotes you know and how well the attacker knows you.
Taking a step to one side slightly, what's in your (you being Robert Hensing or any random person) .sig file...?
Ask Oxford puts the number at about three times what you cited.
OK.&nbsp; Let me get this perfectly straight.&nbsp; I am not going to give you a new way to do your passwords...
OK. Let me get this perfectly straight. I am not going to give you a new way to do your passwords like