Re: Reasons and examples for security

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/15/04 

Date: Wed, 15 Dec 2004 07:09:53 -0700

Hi Steve,

Agreed, and excellent point.

The bottom-line however is that there is extreme resistance to
setting pwd length large enough to literally force passphrase use.
Hence the "so-called" complexity setting still has a place when
the length is set sufficiently low that some might use "myfullname"
or other, particularly dictionary susceptible choices.

IOW it is more simple to get the org to buy into increasing length
slightly and beginning user passphrase education than it is to do
something like increasing length drammatically (even with dropping
of complexity). What they fail to appreciate is what you rightly
point out - a larger length setting but without complexity requirements
is more simple to remember (and more effective considering those
that will not adopt passphrase use if length is less but with complexity). 

-- 
Roger Abell
"Steve Riley [MSFT]" <steriley@microsoft.com> wrote in message
news:ezqRo8i4EHA.3908@TK2MSFTNGP12.phx.gbl...
> > Teach them to use passphrases "The 4 BroWn CoWs jump!'
>
> Pass phrases do not need complexity. The benefits of passphrases are:
>
>   * length -- defeating cracking programs
>   * easy to type -- defeating shoulder-surfing
>   * simple to remember -- defeating sticky-pads
>
> A phrase like "the four brown cows jump" will take on the order of
hundreds
> of centuries to crack and is much quicker to type and easier to remember
> than "The 4 BroWn CoWs jump!" with all the latter's non-standard
> capitalization and punctuation.
>
> If we're going to try to effect wholesale change here and get people to
> agree that long passphrases are the future, adding complexity will create
> resistance. Why do that when it's unnecessary, security-wise?
>
> Steve Riley
> steriley@microsoft.com
>
>
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:OWwkyyY4EHA.3472@TK2MSFTNGP09.phx.gbl...
> > Changing passwords on a timed schedule intends to do
> > a couple of things (at least):  make the password different
> > before a process that is trying to crack it has had sufficient
> > time (statistically) to have done so; to limit unauthorized
> > accesses that may be happening due to "handed out" and/or
> > otherwise compromised passwords by invalidating them.
> >
> > For the first of these to be meaningful now-a-days, the
> > balance between password size (and strength) and the
> > change interval needs to be set reasonably - but of these
> > the two factors which Windows can leverage without any
> > third-party software is password aging and length.
> >
> > Teach them to use passphrases "The 4 BroWn CoWs jump!'
> > and set the length high, IMO not less that a dozen.  Set the
> > aging so they cannot reuse passwords, and the frequency to
> > what the users will bear, maybe 60 days if you can.
> >
> > Windows is not Unix.  An account is in very many groups.
> > These groups are used to control access to data which may
> > be of different degrees of import/sensitivity and shared
> > by different sets of people.   This is something that is not
> > at first well appreciated by folks coming from Unix, where
> > an account being compromised imperils the data of that
> > account and of its group.
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows  Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "roshak31" <Roshak31@news.postalias> wrote in message
> > news:71471564-180B-43B4-944A-B8FA41EB7E34@microsoft.com...
> >> I am looking for examples to support my case for tighter security. I am
> >> looking in the area of having to renew passwords at set time period
which
> > is
> >> not currently being done. I am also looking to find any supporting
> > arguments
> >> for not having all home folders of everyone on the network available to
> >> everyone else on the network.
> >>
> >> Any stories and or arguments that would help my case for stronger
> >> security
> >> would be appreciated.
> >>
> >> Thanks,
> >
> >
>
>

Relevant Pages

  • Re: Please advice me about the whole disk encryption software I bought
    ... there are a lot of words said about DCPP but not much to actually make a reasoned decision on. ... The biggest omissions I see are that I could find no place where they mention if there is a Message Authentication Code in use, this is actually very important to most real-world security situations, and the second big omission is the lack of discussion of chaining mode. ... In most environments the weakest part of the security is the user passphrase. ... Where only short passwords are allowed this results in secure passwords that look like "kyjtyklid5g" and are very difficult to remember. ...
    (sci.crypt)
  • Re: Security level of SET PASS /GENERATE ?
    ... You gain A LOT MORE SECURITY by ... making passwords longer vs. making them complex. ... better than increasing "complexity". ...
    (comp.os.vms)
  • Re: Reasons and examples for security
    ... > setting pwd length large enough to literally force passphrase use. ... > point out - a larger length setting but without complexity requirements ... >> If we're going to try to effect wholesale change here and get people to ... >> Steve Riley ...
    (microsoft.public.security)
  • Re: One liner to generate truly random passwords from command line
    ... with your algorithm) as passwords on your system. ... A much better solution is to use a passphrase made out of random words ... search space of 234,936^3 and an average search space ... Which would you rather remember "abear Laotian ...
    (perl.beginners)
  • Re: Secure passwords?
    ... > Which of these two passwords should be the most secure one: ... > 8 very cryptic characters not easy to remember. ... > To me it the first one seems much more secure since it has so many more ... One can then "harden" the passphrase in a number of ways, ...
    (alt.computer.security)