Why you shouldn't be using passwords of any kind on your Windows networks . . .

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

a. — Wed, 28 Jul 2004 17:50:00 GMT

and every time i need to authenticate just type 42 characters?

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Daniel W. — Wed, 28 Jul 2004 17:52:00 GMT

Great article!

So far i've been using Password Minder created by Keith Brown to keep all my passwords. It helps me generate password 75 chars long. But so far almost all of the e-commerce Web sites i use have a limit for passwords to about 8-10 characters.

I just hope they'll all hear your call!

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Robert Hensing — Wed, 28 Jul 2004 18:08:00 GMT

I type extremely fast (80wpm) so for me typing a 42 character sentence when I get challenged isn't all that hard or difficult. I realize not everyone would enjoy a pass-phrase that extreme - but how hard is it to type 'Mean people suck!'. That's much shorter and just as secure . . . My point is to get people to use 14 character or greater passwords by using pass-phrases instead. 42 character may seem like overkill . . . but then again I would freely give out my password hash to anyone who wanted it and challenge them to crack it with that pass-phrase. :)

Finally - the only time I get challenged is when I logon to the domain - since we're in a domain I don't get challenged when connecting to shares or intranet sites - I auto-authenticate after I sign in.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Matt Hawley — Wed, 28 Jul 2004 18:11:00 GMT

(standing and clapping) great article..I cant wait to see what else you come up with. I immediately forwarded this onto my network services department :)

Simple... just don't use a password!

Anderson on... — Wed, 28 Jul 2004 18:31:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

James Risto — Wed, 28 Jul 2004 18:32:00 GMT

Nice ... I have a phrase now instead of a dumb (short) mess. I thought you were going to talk about smart cards ... nice to know we don't have to change infrastructure.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Miguel Garrido — Wed, 28 Jul 2004 18:33:00 GMT

Yes, it is a very interesting article, something I will probably be implementing in the near future.

Simple... just don't use a password!

Anderson on... — Wed, 28 Jul 2004 18:34:00 GMT

Rob Hensing on Passphrases

Extra Bits That Didn't Fit — Wed, 28 Jul 2004 18:47:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

damien morton — Wed, 28 Jul 2004 18:51:00 GMT

The entropy of the english language is around 2.1 bits/character. Assuming that a "random" string of upper/lower/numeric characters is compared with a passphrase, one would expect a "random" password to be as effective as a passphrase 3 times as long (assuming 6 bits/character in a random password). Of course, completely random passwords are even more of a pain than passphrases.

I would suggest a lower limit of 20-25 characters on passphrases.

Rob Hensing on Passphrases

Extra Bits That Didn't Fit — Wed, 28 Jul 2004 18:57:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

bert — Wed, 28 Jul 2004 19:31:00 GMT

sounds great....except when your network admin makes you change the pass phrase every month...now what phrase did I use this month... I better figure it out in 3 trys so I dont get locked out.

I woudl really like to see thumb readers or somthing like that used more..

Password considered evil ;-)

Sergey Simakov blog — Wed, 28 Jul 2004 20:06:00 GMT

Passwords considered evil ;-)

Sergey Simakov blog — Wed, 28 Jul 2004 20:06:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

matt — Wed, 28 Jul 2004 20:25:00 GMT

Um. Am i missing something? Say this catches on... say we get everyone working with Pass-PHRASES (as you like to say), then the blackhat community simply adapt their attacks using 'word' elements instead of letter elements for the 'password', and 6 months down the line we're more vunerable than ever before.
These phrases are only equivalent to random passes if they continue using the same tactics... that simply isn't going to happen.
Performing a brute-force attack using a language-dictionary (perhaps a rechristening of the term 'dictonary attack'? ha ha) would be quicker and easier than peforming the same attack on a 12 letter random password, as there are now only 4 or 5 elements to the pass-PHRASE that have to be guessed (even including case-sensitivity thats not much), which would surly REDUCE security - as thats equivalent to a random password of about length 4 or 5 (even taking into account the higher number of mathematical combinations possible with words, as the patterns produced aren't 100% random (as all language obeys rules) you're going to find you're back to roughly the number of combinations used with letters).
The only effective and 99% secure method (which isnt exactly viable at this present moment) is face-recognition, combined with lip-sinked voice-signature recognition alongside a real-life spoken passphrase. Place this alongside a bluetooth-vicinity card or USB-smart card and you're getting pretty close to 100% secure.
That's my take. What more can I say? I'm sticking with random passwords for now.

Complex passwords pointless?

Girish Bharadwaj — Wed, 28 Jul 2004 20:36:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Robert Hensing — Wed, 28 Jul 2004 20:38:00 GMT

So you're talking about password guessing methods / tools which don't exist yet. Sure what you say could be done. Security is a cat and mouse game. Sometimes your the cat, sometimes your the mouse. Right now you all are the mouse, I'm giving you one way you can become the cat for a little while until the miscreants figure out your using full-fledged sentences as your passwords. Then they will be forced to either:
1. Write more sophisticated tools.
2. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .

Seriously though - I'm not literally saying 'just use sentences' (I hope that wasn't the key take-away). The point I'm trying to make in this post that perhaps was not made was 'go for length over short complexity' if given the choice. If given the choice of a highly complex, 8 char or less password, I'll take the 16 character pass-phrase thank you. The pass-phrase doesn't have to be a meaningful sentence. It can be random words . . . you can use substitution to increase the keyspace from 52 chars (a-Z, A-Z) to well over 72 chars (a-z, A-Z, 0-9, !@#$%^&*() ) which dramatically increases the time to crack.

Just go for length people - short passwords suck.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

matt — Wed, 28 Jul 2004 20:54:00 GMT

Yeah, I agree about the length thing - I'd like to know what you think about this. I'm seriously interested in your response on this: http://dotnetjunkies.com/WebLog/darrell.norton/archive/2004/03/17/9362.aspx
Im not just trying to "make another point", I'm serioulsy interested.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Robert Hensing — Wed, 28 Jul 2004 21:16:00 GMT

Sure - character substitution (I like to call them 733t speak passwords <G>) is nothing new and LC4 and LC5 both have the ability to do it (i.e. try common substitutions when cracking like swap 'a' for '@').

So I agree with the author - for short passwords, this doesn't necessarily buy you much more time so effectively, nowadays it's not really all that great.

For example if your password is 'P@$$w0rd'
LC4/5 will try
password
Password
P@ssword
P@$$word
P@$$w0rd

woot! It took LC5 a whopping 4 more attempts to crack that password based on . . . a WORD.

The problem is, in this scenario that substitution is being used to try to strengthen a fundamentally weak password.

And we've now come full circle. This link has actually helped prove my point. The author has rightfully pointed out that character substitution, designed to increase the entropy of a short password isn't really all that helpful if the substitutions are done in a predictable way (i.e. common substitutions that can be programmed into a cracker).

If the password had been a passphrase, however like 'My p@$$w0rd is super 733t, I'm so clever!' LC5 would probablytake approximately 1.7 million billion years to brute-force that becuase:
1. It can't find that password (or any of its permutations) in a dictionary so it must
2. Revert to using brute-force to crack that.

The point of my post is that with a password as long as the one I provide above, entropy doesn't really matter anymore as you've made the password so long that it would take an un-realistic amount of time to crack it using brute-force or lookup tables . . . adding entropy to it (either true entropy or fake entropy via character substitutions) is probably just plain old overkill.

I'll leave it as an exercise to the readers to tell me how long it would take LC5 to brute-force: 'My p@$$w0rd is super 733t, I'm so clever!'

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Sircarpediem CIRCA84 — Wed, 28 Jul 2004 21:21:00 GMT

"The voice of reason has spoken". The complex is always so simple. I think that matt although having some points at this date and time Robert your absolutely correct. We are far away (In technology yrs which are months btw) of getting to the point of passphrase breaching which one day will exist. Thing is, there are far too many machines to breach that WONT EVER smell the coffee. (i.e. All the machines still using windows 95, 98, 98SE and WEP users all banking, and doing lifes transactions with those OS's with no antivirus even) Just far too many, and too much fun to resist. Robert I admire the complexity of your common sense in this aticle, applause.

Heres something to think about too. I have clients that use Nod32 for their antivirus and it works for them. "Beats symantec hands down" etc etc. Sure it does; for now that is. Just not commercial enough, whats commercial is mostly going to be cracked. Heres a quote, "For more than six years, NOD32 remains the only antivirus system in the world that has not missed any 'In the Wild' virus in the prestigious tests performed by the international magazine" - Virus Bulletin. This is true only because its not popular and noone is out to take it out. Let it do some advertising as the "#1 antivirus, and most secure in the world" on a national or international commercial. Take a month or less for it to be molested like a 8yr old in Micheal Jacksons bedroom. Might be happening as we speak, who knows? Everything is relevant. Nice article.

Pass phrases

Andy Johns' Blog — Wed, 28 Jul 2004 21:29:00 GMT

Start using passPHRASES rather than passWORDS

Bob.Yexley.Blog — Wed, 28 Jul 2004 21:48:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Sonny — Wed, 28 Jul 2004 21:53:00 GMT

I agree with Robert without reservations, having been doing this exactly for years. Further, as a IS professional it has been my recommedation for years as a best practice. No need to reiterate your argument. Side note to those commenting on time to authenticate i.e. type a password... If you are a general user with moderate typing skills it still is not that big a deal, I set my screen saver to 3 minutes and use phrases and am not the quickest of typists yet still manage through it without locking myself out.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Robert Hurlbut — Wed, 28 Jul 2004 22:09:00 GMT

I have been advocating passphrases in my own security presentations, but I also recommended a variation of taking the first letter of the passphrase when the password length is < 10. But, as your article points out, that may still not be safe. And why do this when you have a large password length. Great advice!

Why you shouldn't be using passwords of any kind on your Windows networks . . .

A Blog for Graymad — Wed, 28 Jul 2004 22:17:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Barry Dorrans — Wed, 28 Jul 2004 23:19:00 GMT

Until there's smartcard logins that are supported across the net I'm not going to be content. Heck I want to persuade people to roll it out over the work AD, just so I don't have to remember passwords, phrases or whatever.

The problem is, of course, remembering. It gets worse when you have to change your password every month, so I've ending up defaulting to month!year!phraseWithNumber

Password information and passphrase advice

Robert Hurlbut's .Net Blog — Thu, 29 Jul 2004 00:03:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Drew — Thu, 29 Jul 2004 03:21:00 GMT

I agree if these are domain accounts and smartcards aren't in use.
For stand-alone machines that will only have local logons* I'd recommend the other kind of not-password: a blank password. It lets anyone with physical access log on as you**, but won't allow anyone to connect to the machine with your account over a network.

*surely the 90% case in people's homes
**any box that an attacker has physical access to is ownzored anyway

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Drew — Thu, 29 Jul 2004 03:23:00 GMT

I should have included this:
"blank password == no net access" only for Windows XP and later releases.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Jeremy Brayton — Thu, 29 Jul 2004 05:10:00 GMT

Also one thing not mentioned but brought up in another blog is the use of " " (space).

You can have a sentence with correct 1 character spacing, 3 characters, 5, 2, or literally 127 spaces and an A at the end. Good luck brute forcing that one.

Passwords are cracked by a whole. You can't crack a character at a time because of the way hashes are set up. So any time you can lengthen the password or phrase, the better your chances will be in the long run, even if it's extra spaces. Using a non-uniform method of spacing is more ideal too just in case crackers every wise up and include some kind of spacing algorythms.

Don't use passwords!

OdeToCode News — Thu, 29 Jul 2004 05:30:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

John S. — Thu, 29 Jul 2004 10:34:00 GMT

"except when your network admin makes you change the pass phrase every month...now what phrase did I use this month... I better figure it out in 3 trys so I dont get locked out."

Convince your admin that creating a stronger password complexity policy eliminates the need for a lockout policy. Lockout policies are essentially the easiest way to DoS someone. Try logging in as your admin or CEO 3 times locking them out, that usually gets the policy updated pretty quick.

Pass phrases not passwords

Nothing but me — Thu, 29 Jul 2004 12:24:00 GMT

A rather well written article on why you shouldn't be using passwords of any kind on your Windows networks. Basically,...

Preventing password cracking - longer passwords are better than complex passwords

Walt Ritscher: Thinking about code — Thu, 29 Jul 2004 17:06:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

mielikki — Thu, 29 Jul 2004 17:08:00 GMT

See also the Passphrase FAQ at http://www.stack.nl/~galactus/remailers/passphrase-faq.html

And the diceware passphrase page at http://world.std.com/~reinhold/diceware.html

Passwords vs. Passphrases

Dana Epp's ramblings at the Sanctuary — Thu, 29 Jul 2004 18:40:00 GMT

Today I read an interesting post by Robert Hensing (incident response specialist for Microsoft) about the fact that you shouldn't use passwords of any kind on your Windows networks. Ok, now before you foam at the mouth and think he's nuts, take some time to read the post. Its rather interesting. What Robert is getting at is that in this day and age, with the number of different techniques that exist passwords (especially through pre-computed hashes) are easy to break. His solution, use long passPHRASES that are more difficult to break through attack vectors such as LC. OK, I'll buy that for a dollar. Mostly because thats all that its worth. Robert makes a good point that if you have a longer "passphrase", its is extremely difficult for pre-computed hashed to crack per character. What he fails to really point out is that password entropy doesn't simply get better by using length, UNLESS IT IS RANDOM! Shifting to longer passphrases is good, but only to the extend of the random nature of characters used. Why do I say that? Because tools already exist in the underground that now include precomputed H4CK3R 1337 5P34K, and normalized words that are part of the english language. The weakest link is the human factor here. A passphrase of: Bob's your uncle! Is Alice in wonderland? The answer is 42. is great on length, uses a combination of of upper and lower case letters and even special punctuation characters. It is extremely easy for me to remember, I won't even need to write it down. Yet you know what? It is weaker than a password I can make up that is just as easy to remember, but is way shorter. Let me explain. As Robert points out in his post, brute force attacks using pre-computed hashes on longer passphrases is nearly impossible due to the sheer hardware requirements needed to store all the pre-computed results. Ram and diskspace limitations make this much more difficult. However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage. Now to be fair, a passphrase with 14 distinct components is still amazingly strong, and difficult to crack. However, it also becomes too easy to break down in password management for the user. Why? Well for starters: The longer the passphrase, the easier it is to mistype The easier it is to type out (assuming you are a good typer) the more lax your thought processing will be when entering passwords. The longer the passphrase, the more tiresome it may be for the user to input, in which case they will settle with "b0bsuncle" later when they get tired of typing it the longer and much safer password Even if you could make this all random, easy to enter and protected against user input errors, a passPHRASE of this length is insane. Its like using a 8192 bit PGP key. Its effective strength is great, but insanely impractical for decryption purposes. In security its about "what is enough security", not "what is the ultimate security". Let me show you a just as effective way of making a strong password/passphrase that will defeat most cracking attack vectors, is easy to remember, and is prone to LESS input errors by humans, the people we are wanting to protect here. Use the same passphrase technique as Robert suggested in your head, and simply type out the first letter, and any numbers and punctuation that come out of it. For the passphrase: Bob's your uncle! Is Alice in wonderland? The answer is 42. You would get a password of: Byu!IAiw?Tai42. Now under the guise of a complex random password, you actually have (in this case): A strong 15 character password with a good effective bit strength. This meets the criteria of a "long enough" password (anything over 14 random upper and lower characters, which also include digits and punctuation will generate a 'good enough' password for most networks that will thwarte pre-compute and other brute force attacks) It is easy to remember, hard to guess. Requires thought as your brain processes each word individually as you type the first character. Studies have shown if you actually have to THINK about something as you type it, it is less prone to error Robert brings up very interesting thoughts in his post. And you should seriously consider following them, with one change. Remember the user. As security professionals, its easy for us to use insane passwords for protection. We are supposed to know better. But Alice in accounting just isn't going to follow it. With my slight change to simply type out the first letter of each word, and any numbers and punctuation that come out of it, you have a much more PRACTICAL passphrase that is 'good enough' for most networks. With a bit of user education, this can become extremely effective. Oh, and if on the next password rotation you don't feel like using the first letter of every word, change it up. Use the last letter. Or the second. Just remember if you make it to difficult, you will forget it, making it no better than 'g0d' or 'P4$5w0rd!'. Especially since you are going to have to call IT services to reset your password anyways....

New Microsoft Blog

Adam's Mindspace — Thu, 29 Jul 2004 23:23:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Aaron Margosis — Fri, 30 Jul 2004 08:23:00 GMT

RHensing - *great* first post!

Dana Epp - You are correct that completely random 42-character string would be harder to crack than a 42-character grammatically correct sentence made up of 14 words. I don't think it follows that the latter is weaker than a random 14-character password:
* The attacker does not know that there are 14 elements.
* With the password, each element (character) comes from a set of approximately 100 characters (assuming ANSI). With the passphrase, even after you remove all the randomness each element (word) comes from a set of many thousands of possibilities. Throw a little character substitution in the mix and cracking just has no feasibility left.

(I'm not a mathematician, though...)

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Andy Doyle — Fri, 30 Jul 2004 12:15:00 GMT

What a great first post!
*applauds*

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Jeremy C. Wright — Fri, 30 Jul 2004 17:06:00 GMT

Fantastic. Blogged, subscribed, bookmarked, forwarded.

Don't Use a Password

Ensight - Jeremy C. Wright — Fri, 30 Jul 2004 17:06:00 GMT

Here was me thinking there'd be nothing to blog about.... Just over two weeks ago, I wrote a completely idiotic blog post. Stupid in fact, about how to make simple, secure passwords. Of course, one of my readers showed me my stupidity, and I thank him for it. He advocates passphrases. Well, today an Incident Response Specialist (big head security dude) for Microsoft wrote a fantastic post outlining this in great detail. In his first blog post evah (!!!) Robert Hensing (background available via Google) talks about passphrases in great detail. Some really choice quotes? Worse still, attackers (either automated or human) don't even need to GUESS the password. There are hacking tools a-plenty that will let a miscreant sniff your network traffic to scoop out authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password. Sure you can protect the network with segmentation, encryption (IPSec etc.) and even 802.1x and I'm a big fan of all of these concepts, but really they just workaround an issue that you still need to address. The inherent vulnerability in your network which is - the password. So here's the deal - I don't want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you ask? Let's take a look at some of my recent pass-phrases that I've used inside Microsoft for my 'password'. If we weren't all crazy we would go insane (Jimmy Buffet rules) Send the pain below! (I like Chevell too) Mean people suck! (it's true) So why are these pass-phrases so great? 1. They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don't HAVE to use numbers to meet password complexity requirements) 2. They are so freaking easy for me to remember it's not even funny. For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember 'xYaQxrz!' (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack). That password would not survive sustained attack with LC5 long enough to matter so in my mind it's pointless to use a password like that. You may as well just leave your password blank. 3. I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password). Really, continue reading if you want more info....

Passwords vs passphrases, redux

Exchange Security — Fri, 30 Jul 2004 18:36:00 GMT

or is it?Dana Epps then jumped in with a response: However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS.... If you take Dana's approach, and pick something too simple or well-known (like, say, lines from The Marines' Hymn), you are at least theoretically vulnerable to dictionary attacks that try combinations of Beatles lyrics, quotes from The Princess Bride, or whatever.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Bill V — Fri, 30 Jul 2004 21:25:00 GMT

Robert. Thanks for the Heads up. Certainly makes sense.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Mike O'Connor — Sat, 31 Jul 2004 19:23:00 GMT

Unfortunately, there's scalability limits on passphrases. The longer a passphrase is, the more likely it is that someone will make some mistake in typing it in, especially when they can't see what they're typing echoed on the screen. For every Japanese schoolgirl who can flawlessly type a trillion words a minute on the iMode phone they're provided with in the womb, there's an old manager fart with mildly arthritic hands to counterbalance it. Someone with a usability bent probably has done a lot of work figuring out what the right magic # is for such things, and I bet it's <42. In other words, as with most 'length' arguments:

"It's not the meat, it's the motion..."

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Greg Baker — Sun, 01 Aug 2004 01:24:00 GMT

Great Article.

Our 5300 user organization has been using pass phrases since April. We initially had scalibility concerns but have yet to encounter any. The users and all of IT give the concept a big thumbs up. Many clumps of hair have been saved by all.

As an FYI, Mark Minasi gave a presentation detailing this subject during his keynote on the Microsoft Security Road Show this spring.

Weekly Links

protected virtual void jayBlog { — Mon, 02 Aug 2004 00:49:00 GMT

Weekly Links

protected virtual void jayBlog { — Mon, 02 Aug 2004 00:50:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Tim Long — Mon, 02 Aug 2004 12:19:00 GMT

I'm surprised that biometric devices are not much more prevalent (such as the U-are-U fingerprint scanners). These devices are both convenient and easy to use. They save a lot of time for the user and remove any temptation to write down a password.

Robert's advice about passphrases is actually very practical. Though it seems like a lot to type, the fingers become accustomed to it very quickly.

The 128 character password limit is such a well kept secret that I've come across applications that actually forced me to have a shorter password because they wouldn't allow me to enter a long enough string. Veritas Backup Exec 8, for example!

--TPL

Ensight - Jeremy C. Wright » Secure Passwords: Final Version

TrackBack — Thu, 05 Aug 2004 18:14:00 GMT

Ensight - Jeremy C. Wright » Secure Passwords: Final Version

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Matt Palmer — Fri, 06 Aug 2004 13:56:00 GMT

Very interesting, and I think it's probably a good idea.

However, I ran the pass phrases that Robert used through a word frequency analyser (just google around for one). Almost all the words he picked were in the top 1000 most common english language words. If you have a passphrase with 5 words, that gives you about 1000 billion variations, and that assumes that the word order is random. Since the phrases form sentences, there's actually a lot less variation there, as many words are very common (top ten), and tend to follow each other in statistically significant sequences.

Is this weaker than a 10 character password? Maybe. And remember, people will tend to choose pass phrases from popular culture, cool quotes, etc. Again, allowing attackers an in to the pass phrase.

I think using pass phrases is *probably* a good idea, but we shouldn't leap on it without examining it in much greater detail.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

JerimiahF — Mon, 09 Aug 2004 22:50:00 GMT

I use a 256bit encrypted fingerprint reader to remember my passwords - the long ones - and as long as my finger is with me - the chances are 1 in 100,000 that someone has a print like mine.

FBI uses like 7-8 points to ID a print - this thing uses upwards of a few dozen.

www.digitalpersona.com

Have fun (it's optical BTW - not silicone like the old ones).

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Joe Hemmerlein — Tue, 10 Aug 2004 17:56:00 GMT

Congrats, Rob, for your first blog ;-) I've also been using pass phrases for quite some time now, and I am totally satisifed. However, there are a few experiences I would like to share:

1. After a while, the pass phrase isn't as easy to type as it was in the beginning.
I do not know if this is a personal thing, but tendencially, it takes about 2 days for me to type the new phrase fluently (this is about the time I used to get used to a new password, too). Then it takes about another 30 days for me to start making typos. I call that "natural expiration" and when that happens, I usually change the phrase.

2. Be careful with special characters
Besides using multiple spaces and mispelling words in my pass phrase, I have also experimented with special characters (e.g. ALT+4322). On one day however, I had to connect to a TS in a different country, and the password kept being rejected. Even a clear text copy&paste failed. Thinks like these appear to happen when the phrase was set with one locale, and then entered with a different locale, while special characters are in use. Of course, it doesn't appear with all chars.

3. Smartcards
If I have to log on to a system that has a smartcard reader installed and allows smart card logon, I use the card.

Cheers,
joe

Just Changed my password

The Skelly Blog — Tue, 10 Aug 2004 23:04:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Jenni Merrifield — Wed, 11 Aug 2004 11:03:00 GMT

Interesting and thoughtful commentary on passPHRASES vs. passWORDS.

I do have to agree, though, with those who have commented on the fact that making them too long is subject to mistyping and (eventually) shortening due to the lazy-factor. Also, for those of us using Tablet PCs, the need to enter pass-anythings using anon-screen graphical representation of a QWERTY keyboard, where every key (including SHIFT) must be tapped one-bygone, makes anything longer than 8-10 characters exceedingly unpleasant.

You also mention, in one of your responses to some other feedback, that you only need to enter your paraphrase when you log in to the Domain. What about when using Remote Access Services and VPN? Or when using RCP over HTTP to access email on an Exchange server? Or for the tester who needs to log in to a couple of different testing machines each day? After all, not everyone only logs in at a desktop attached directly to the corpnet. ;-)

Just Changed my password

The Skelly Blog — Wed, 11 Aug 2004 17:18:00 GMT

A step in a good direction, but...

Brad — Thu, 12 Aug 2004 02:20:00 GMT

This seems like a band-aid over a deep wound. Won't this eventually suffer the same problems RSA-encryption has in the past (and will soon in the future)? Increased processing speed (or something nuts like quantum computing) is just going to make us increase the length again later. Soon, it will be 42 character passwords. Then 80 character passwords. And then we're going to throw our PC's out the window because we're tired of coming up with a new a short story every month to access it.

Is there a better method of approaching this? I know that, for the web, salting and md5-ing passwords makes the password increasingly more secure, but even that seems to be delaying the inevitable.

Don't Use Passwords says Microsoft Guru

Stuart Radcliffe — Tue, 17 Aug 2004 10:29:00 GMT

If you want your system to be secure you shouldn't use passwords. Who would make such an obviously stupid statement? Surprisingly, the answer is Robert Hensing of the Microsoft PSS Security team.

Don't Use Passwords says Microsoft Guru

Stuart Radcliffe — Tue, 17 Aug 2004 10:34:00 GMT

If you want your system to be secure you shouldn't use passwords. Who would make such an obviously stupid statement? Surprisingly, the answer is Robert Hensing of the Microsoft PSS Security team.

Pass-Phrases, not Pass-Words to defeat brute force attacks

Alan Dean — Tue, 17 Aug 2004 21:06:00 GMT

Pass-Phrases, not Pass-Words to defeat brute force attacks

Us versus Them

E-Bitz - SBS MVP the Official Blog of the SBS — Wed, 18 Aug 2004 04:02:00 GMT

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

[rux] — Sun, 22 Aug 2004 11:45:00 GMT

"2. Attack easier targets like all those Linux boxes you installed because its so much more secure . . . "

What did you mean by the above sentence ? Seriously ...

Binary string as password?

Hans — Mon, 23 Aug 2004 06:49:00 GMT

Currently I'm using a binary string that's comprised of only 1's and 0's and is about 20 characters for a password (in one instance only). I presume that this isn't exactly safe, since it's only 1's and 0's, but I thought I'd ask an "expert." So, are binary passwords safe, or do they have to be 40+ characters long?

P.S. I don't remember the number, I count on muscle memory/rythm.

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Robert Hensing — Mon, 23 Aug 2004 16:20:00 GMT

Your character set is extremely small (2 chars) but the attackers don't know that (well they do now) so they have to assume at least a 62 character set when doing their brute-force attack. Given that you've made your password 20 characters long that helps overcome the lack of characters which I'm guessing makes this a relatively hard to crack password (for someone who doesn't know you only have 1's and 0's in it). If someone configured LC5 to try only 1's and 0's I'm pretty sure this would crack fairly quickly.

Consider using you're traditional 'binary' password but padding it with some extra characters here and there to avoid getting pwnt. :)

re: Why you shouldn't be using passwords of any kind on your Windows networks . . .

Jojge — Tue, 24 Aug 2004 23:05:00 GMT

I think are 100% correct!

Dear Mr. Schnell:

E-Bitz - SBS MVP the Official Blog of the SBS — Mon, 06 Sep 2004 21:08:00 GMT

Dear Mr. Schnell:

E-Bitz - SBS MVP the Official Blog of the SBS — Mon, 06 Sep 2004 21:37:00 GMT

Password policy and a recent virus

Eli Robillard's World of Blog. — Thu, 09 Sep 2004 18:16:00 GMT

No passwords?

Keith 'StarPilot' Barrows — Thu, 09 Sep 2004 21:14:00 GMT

Zyca » 2004 » September » 14

TrackBack — Wed, 15 Sep 2004 00:50:00 GMT

Zyca » 2004 » September » 14

Why you shouldn't be using passwords of any kind on your Windows networks

Lockergnome's IT Professionals — Wed, 22 Sep 2004 07:02:00 GMT

"So this is my first ever blog entry and seeing as how I'm a senior member of the PSS Security Incident Response team, you may think I've stopped taking my medication by opening with a title like the one above!...

Passwords Not Accepted

Desert Dwarf — Wed, 22 Sep 2004 22:38:00 GMT

A new blogger, Robert Hensing, wrote his first blog post back on July 28, 2004. It’s an excellent article on...

Why you shouldn't be using passwords of any kind on your Windows networks . . .

42 — Sat, 25 Sep 2004 20:04:00 GMT

Why you shouldn't be using passwords of any kind on your Windows networks . . . is an interesting viewpoint. I am not sure what the limits are for Linux though. Thanks to randomthoughts � Don’t use passwords on your

Team Murder » Some Pre-Lunch Messing Around

TrackBack — Mon, 27 Sep 2004 23:13:00 GMT

Team Murder » Some Pre-Lunch Messing Around

Movable type resourses — Wed, 29 Sep 2004 22:52:00 GMT

Why you shouldn't be using passwords of any kind on your Windows networks . . . Robert Hensing's Incident Response WebLog...

Validating Strong Pass Phrases

Eli Robillard's World of Blog. — Thu, 30 Sep 2004 00:33:00 GMT

Validating Strong Pass Phrases Snippet

Eli Robillard's World of Blog. — Thu, 30 Sep 2004 00:34:00 GMT

Microsoft senior member says stop using passwords

TrackBack — Sun, 17 Oct 2004 02:12:00 GMT

Microsoft senior member says stop using passwords

Pass Phrases - Sage advice from inside Microsoft

SteelePrice.Net — Mon, 18 Oct 2004 20:04:00 GMT

The Great Debates: Pass Phrases vs. Passwords

Eli Robillard's World of Blog. — Wed, 20 Oct 2004 19:26:00 GMT

The Great Debates: Pass Phrases vs. Passwords

Eli Robillard's World of Blog. — Wed, 20 Oct 2004 19:26:00 GMT

re: Password Memorability and Security

SecureCoder by Anil John — Thu, 21 Oct 2004 07:30:00 GMT

Password Memorability

.net DElirium — Thu, 21 Oct 2004 07:33:00 GMT

Never Knows Best: Blog

TrackBack — Thu, 21 Oct 2004 19:22:00 GMT

Never Knows Best: Blog

Why you shouldn't be using passwords of any kind on your Windows networks . . .

Donna's SecurityFlash — Thu, 21 Oct 2004 20:17:00 GMT

Password or phrase?

jasun's blog — Thu, 21 Oct 2004 23:30:00 GMT

Robert Hensing from the Microsoft PSS Security Team is trying to propose a new method of accessing systems. Although using a passphrase instead of a password is nothing new it is when we are talking about general access control systems....

Fascinating article on Passphrases just posted

Larry Osterman's WebLog — Fri, 22 Oct 2004 19:49:00 GMT

Why you should use passPHRASES instead of passWORDS

Bill Knaus — Fri, 22 Oct 2004 23:26:00 GMT

Hensing revisits passWORDS vs. passPHRASES

Bill Knaus — Mon, 25 Oct 2004 16:15:00 GMT

Techie life » More on passphrases

TrackBack — Mon, 15 Nov 2004 21:27:00 GMT

Techie life » More on passphrases

Why You Shouldn't Be Using Passwords of Any Kind on Your Windows Networks...

CraigBlog — Tue, 07 Dec 2004 17:56:00 GMT

Why You Shouldn't Be Using Password of Any Kind on Your Windows Networks

Josh0 — Tue, 07 Dec 2004 18:31:00 GMT

Don't use Passwords

Meandering-Blog.Com — Tue, 07 Dec 2004 22:04:00 GMT

Network Admin Smackdown! Passwords vs. Passphrases

Frankie Fresh's Blog — Wed, 08 Dec 2004 01:44:00 GMT

Stop using Passwords

iBLOGthere4iM — Wed, 08 Dec 2004 05:11:00 GMT

Alec Saunders: This is well worth reading.

Excellent post about Passwords and Passphrases

Dela's Ramblings — Wed, 08 Dec 2004 13:13:00 GMT

Pass-Phrasing

Mike Taulty's Weblog — Fri, 10 Dec 2004 02:47:00 GMT

Pass Phrases vs. Passwords

JOEL'S BLOG — Sun, 12 Dec 2004 20:58:00 GMT

Pass Phrases vs. Passwords

Joel's Virtual Desktop — Sun, 12 Dec 2004 20:58:00 GMT

Pass Phrases vs. Passwords

Joel Ross — Sun, 12 Dec 2004 20:58:00 GMT

To passphrase or not?

The keyhole — Wed, 15 Dec 2004 08:02:00 GMT

Blogginn hans Alfreds » Hættum að nota lykilorð

TrackBack — Tue, 21 Dec 2004 01:41:00 GMT

Blogginn hans Alfreds » Hættum að nota lykilorð

How secure are your passwords?

Bunmi Akinyemiju's blog — Fri, 14 Jan 2005 07:26:00 GMT

How secure are your passwords?

Bunmi Akinyemiju's blog — Sat, 15 Jan 2005 18:19:00 GMT

re: MSN Search's Wiki

msnsearch's WebLog — Sun, 16 Jan 2005 05:23:00 GMT

sluta med password

Jed Blog — Fri, 28 Jan 2005 22:56:00 GMT

Passwordaphobia

Thinking Digitally — Tue, 01 Feb 2005 09:51:00 GMT

I have always had a problem with passwords- thinking of new passwords, remembering old passwords, typing in passwords. Problems all across the board. A few years ago I used to be really good with my passwords. I had no less...

To passphrase or not?

The keyhole — Wed, 02 Feb 2005 08:12:00 GMT

Hark, 'Cryptonomicon' anyone?

crzegrl.net — Sun, 13 Feb 2005 05:34:00 GMT

Why you shouldn't be using passwords of any kind on your Windows networks . . . This comment sent my brain straight back to Randy Waterhouse and his 'issues' with passcodes! Interesting that Hensing's comment drew so much attention. I...

Am I Missing Something?

Journal — Sun, 13 Feb 2005 05:39:00 GMT

I just read this article on Robert Hensing’s Microsoft blog that says we should be using passphrases rather than passwords. ie: These are bad (old passwords of mine, they’re based on phrases so fairly easy to remember): Fots84!kP4 ttsL1HK.g Mt2ltUP:eD...

Password Chic?

Snowulf — Sun, 13 Feb 2005 07:03:00 GMT

Aparently passwords are no longer in style. One of our loving friends at Micro$oft posted this blog entry. To sumarize, he says "use passphrases". Aparently Windoze 2k/XP/2k3 all support 127 character 'passwords'. So instead of one pseudo-random pass

the musings of Brandon Jaynes :: This Is A Great Idea

TrackBack — Sun, 13 Feb 2005 16:10:00 GMT

the musings of Brandon Jaynes :: This Is A Great Idea

Perfected » Blog Archive » Passphrases over complex passwords?

TrackBack — Mon, 14 Feb 2005 03:45:00 GMT

Perfected » Blog Archive » Passphrases over complex passwords?

Why you shouldnt be using passwords of any kind on your Windows networks

Ablog — Tue, 15 Feb 2005 03:26:00 GMT

A Microsoft security engineer posts on why the password is dead. A stance I firmly agree with but some reservations around the details. The author is coming from the Windows space but the same principles apply in Unix and other OS flavours. Passwords have had a long history of being...

Are pass-phrases really secure?

Reggie Burnett — Wed, 16 Feb 2005 00:05:00 GMT

Why you shouldn't be using passwords of any kind on your Windows networks . . .

Blogger Tom — Sat, 05 Mar 2005 01:09:00 GMT

From:http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx This blog has gained far more attention than I could have ever imagined when I decided to create a small personal blog devoted to security incident response. I never imagined my first ever post would be as controversial or...

Everything old is new again

life (over IP) — Mon, 18 Jul 2005 12:55:55 GMT

Robert Hensing's Secure Window's Initiative Blog (via Coding Horror) advocates something I've been doing for years: So here's the deal - I don't want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you...

How to create better passwords & What is a PassPhrase?

Steve Lamb's Blog — Tue, 19 Jul 2005 12:19:37 GMT

I've heard Jesper talk about this many times and have used passphrases for a long time myself. The term...

How to create better passwords & What is a PassPhrase anyway?

Steve Lamb's Blog — Tue, 19 Jul 2005 12:19:56 GMT

I've heard Jesper talk about this many times and have used passphrases for a long time myself. The term...

Windows 2000 and later have a 127 character password limit

Aaron Tiensivu's Blog — Sat, 11 Mar 2006 00:50:23 GMT

The original spec was to have 256 character available for passwords, so 256-bytes were reserved. Why is the password length limited to 127 characters? Far-east/Unicode uses 2 bytes per character. Oops.

Found that 'dirty secret' here:
http://blogs.

What's your

Giddy Up! - Erik Lane's Blog — Wed, 31 May 2006 08:08:16 GMT

What's your

Giddy Up! - Erik Lane's Blog — Wed, 31 May 2006 08:08:57 GMT

Pens and Microphones

notes and rants — Sat, 12 Aug 2006 01:58:36 GMT

Last week I was home taking care of a few random work issues after dinner. I was wrapping up, and, as...

Diy Terminal Server 2.0 (beta) - Remote Desktop over SSH — XSet Archive

Diy Terminal Server 2.0 (beta) - Remote Desktop over SSH — XSet Archive — Thu, 19 Oct 2006 14:56:37 GMT

PingBack from http://xset.co.uk/2006/10/19/diy-terminal-server-20-beta-remote-desktop-over-ssh/

Bionic Teaching » Nightmare (guard your passwords)

Bionic Teaching » Nightmare (guard your passwords) — Sat, 06 Jan 2007 05:37:16 GMT

PingBack from http://bionicteaching.com/?p=81

Using Password Phrases For Better Security :: the How-To Geek

Using Password Phrases For Better Security :: the How-To Geek — Mon, 05 Feb 2007 00:13:26 GMT

PingBack from http://www.howtogeek.com/howto/windows/using-password-phrases-for-better-security/

My first passphrase

Eugene Siu's MSDN Blog — Tue, 08 May 2007 07:02:59 GMT

I have read many articles about the benefits of using passphrases in contrast to passwords. For more

earn high school diploma at home

earn high school diploma at home — Thu, 13 Sep 2007 10:45:19 GMT

earn high school diploma at home

novolocus.com » Blog Archive » Secure PHP

novolocus.com » Blog Archive » Secure PHP — Thu, 15 Nov 2007 15:30:13 GMT

PingBack from http://www.novolocus.com/2005/07/29/secure-php/

How To Make A Strong Password

TiGra Networks — Fri, 18 Jan 2008 21:13:39 GMT

Another blog article I've been meaning to write for a long time: how to construct a strong password

Using Password Phrases For Better Security | Pc Dicas

Using Password Phrases For Better Security | Pc Dicas — Wed, 28 May 2008 09:06:08 GMT

PingBack from http://www.pcdicas.info/windows-xp/using-password-phrases-for-better-security/

Lucas Arregui » Enhace your passwords now

Lucas Arregui » Enhace your passwords now — Tue, 28 Oct 2008 05:32:33 GMT

PingBack from http://www.lucasarregui.com/?p=88

C??mo mejorar la seguridad en Windows | MilBits

C??mo mejorar la seguridad en Windows | MilBits — Thu, 22 Jan 2009 19:42:32 GMT

PingBack from http://www.milbits.com/mejorar-seguridad-windows

10 Immutable Laws of Security

TiGra Networks — Sat, 20 Jun 2009 16:37:51 GMT

Why You Need a Strong Password It is worth reminding ourselves occasionally why we need passwords and