Saturday, February 12, 2005

Passphrases? Nice try.

Why you shouldn't be using passwords of any kind on your Windows networks . . .

A microsoft security guru starts blogging, and gets attention for advocating passphrases as memorable alternatives to passwords.

I don't see passphrases as workable. I have hundreds of passwords to manage -- would hundreds of passphrases be any easier to manage? In any case it's not like people would choose passphrases randomly -- popular songs, famed bible quotes, historic expressions would all be over-represented.

The blog did mention a few minor details that are probably not known to the average person:
  1. Passwords of under 10 characters are completely vulnerable. Software using "Sarca rainbow tables" are used to create all "possible LM or NT password hashes of a given length with a given character set". The "pre-computed password-hash-to-password-mappings" are then burned to DVD. The DVDs are used to crack systems using passwords under 10 characters.
  2. All dialects of Windows default to storing an "LH hash" for passwords below a certain (nn characters?) length. "The LM hash is no longer cryptographically secure and takes only seconds to crack with most tools".
  3. Password length may be more important than password complexity given current cracking tools. A good length is something like 42 characters or more.
This is all interesting, but it's pointless. It's fighting a lost war. We need biometric identifiers and/or physical tokens. This passphrase/password stuff is for the boids. (Let's not even mention the "secret question" madness.)

No comments: