Unfortunately for us the guys at L0pth already though of this one, and now
try easy substitutions like this. for example, as part of the "hybrid"
crack feature in l0pthcrack it would try to replace an "e" with a "3", and
"s" with a "$", a "i" or an "l" with a "1", etc... Furthermore, you have to
remember that most people will just use a regular word, and append the rest
of the required policy to it: if the policy requires 8 chars, of which are
2 numbers and one punctuation symbol, unfortunately most users will use
something like "Hello11!". This translates into "Hello11" and "!". The
second password will be cracked in seconds, and the first (on a decent
machine with hybrid crack mode) in about 2 hours. If you don't believe me,
try it for yourself. scary results.
After all of this, in my opinion, there are very few real solutions to NT
password management: either implement syskey, which may break LOTS of
things, or go with an OTP system like SecureID or Axent's Defender.
Hope this helps,
-Igor Gashinsky, GCIA
PS: I am not a big fan of Windows, and for the life of me can't figure out
why they didn't use a decent salt schema.
At 02:56 PM 4/7/00 -0400, David Leach wrote:
>Wouldn't it be just as easy (and less expensive) to teach your users how
to create memorable secure passwords?
>like my favorite TV show is: Th3\/F1L3$ (read thexfiles)
>or my favorite song is: \/g1RlfR13nd (read xgirlfriend)
>or my favorite movie is: ph@nt0mm3n@ce (read phantommenace)
>
>these are easy enough to remember by difficult to break and still adhere
to your security policies
>
>David Leach MCSE+I
>Systems Security Engineer
>Electronic Warfare Associates,
>Information and Infrastructure Technologies, Inc.
>
>>>> Igor Gashinsky <[EMAIL PROTECTED]> 04/07/00 01:30PM >>>
> If you are really paranoid about the password policy (read: cautious), and
>worry that your users won't be able to remember the passwords, perhaps
>hand-held tonekns like SecureID are the answer. All they users have to
>remember is the 4 digit PIN, and where they left the token ;)
>
>Hope this helps,
>
>-Igor Gashinsky, GCIA
>
>At 12:39 PM 4/7/00 -0400, Andrew Bastien wrote:
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>
>>
>>This is overkill. While it certainly sounds as if this would require
>secure passwords, a situation has been created where passwords will be so
>difficult for users to remember that they'll be writing them down, or
>they'll just use a sequence to get past password changes (i.e. password1,
>password2, etc.). Then all security goes out the window.
>>An eight character minimum is a good policy, simply because of the way
>authentication works in NT. A mix of upper and lower case is a good idea,
>because it makes brute force attacks much more difficult than they would be
>against only lower case passwords (52^8 vs. 26^8). Brute force attacks
>shouldn't work anyway because you should be locking accounts after a few
>bad login attempts, but this still doesn't hurt.
>>Once you get beyond this point, I think you need to choose priorities. If
>you want to require users to memorize stronger passwords, with digits and
>punctuation, it's not necessarily a good idea to also enforce frequent
>password changes. If you want frequent changes, you might have to live
>with passwords that will be somewhat less secure but easier for users to
>remember.
>>
>>btw, you might also want to find out about passfilt.dll:
>>http://support.microsoft.com/support/kb/articles/q161/9/90.asp?LNG=ENG&SA=T
>ECH&FR=1
>>
>>
>>- -----Original Message-----
>>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>>Sent: April 07, 2000 12:16
>>To: Mailing Lists
>>Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>>Subject: Re: WinNT Passwords Policy
>>
>>
>>
>>
>>
>>
>>Here you go.
>>
>>1) Minumum of 10 characters (NT supports up to 14)
>>2) Must contain at least one Capitalized letter, one lower case letter
>and one
>>digit
>> (and if you want, one of ":;().,<>!@#$%^&*-_=+"
>>3) Must not be similar to previous password
>>4) Can not be any of the last 15 passwords
>>5) Can not resemble the user ID
>>6) Every user gets their own unique ID
>>7) No shared ID's
>>
>>That's about it.
>>
>>
>>
>>-
>----------------------------------------------------------------------------
>----
>>Jerry T. Kendall, CISSP Celestica International Inc.
>>Manager, Worldwide Information Security 12 Concorde Place, 7th Floor
>>Corporate Information Security Toronto, Ontario, M3C 3R8,
>CANADA
>>http://www.celestica.com Tel: +1.416.386.7739
>>[EMAIL PROTECTED] Fax: +1.416.386.7707
>>-
>----------------------------------------------------------------------------
>----
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>Mailing Lists <[EMAIL PROTECTED]> on 04/07/2000 12:06:55 PM
>>
>
>>
>
>>
>
>>
>>
>>
>>
>>
>> To: [EMAIL PROTECTED],
>> [EMAIL PROTECTED]
>>
>> cc: (bcc: Jerry Kendall/Inc/Celestica)
>>
>>
>>
>> Subject: WinNT Passwords Policy
>>
>>
>>
>>
>>
>>
>>
>>
>>Hi all,
>>
>>I'd like to have your opinion and personal experience regarding what policy
>>to implement when dealing with passwords on a pure Windows Network (Windows
>>98, Windows NT 4 workstation and servers, Windows NT 2000 professional and
>>server). The NT domain is based on a NT Server 4 SP5, and the users get
>>mail from MS Exchange 5.5 SP3.
>>
>>At my old job, whe had a mix environment of WinNT, Linux and Suns, so the
>>policy was to have a password of at least 8 characters long, containing
>>upper and lower case letters, numbers and one of those:
>>:;().,<>!@#$%^&*-_=+
>>
>>I just want your opinion as to know if in a pure NT environment, I need to
>>have something that strict, or I can loosen it up a little and keep the
>>same strenght.
>>
>>What is your opinion and what do you use/recommend in that matter?
>>
>>Thanks!
>>
>> -+-
>>Mario Biron, CCA, System Administrator
>>DNRC Title: Official and Proud Sponsor of the Y2K Problem
>>
>>- -
>>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>>"unsubscribe firewalls" in the body of the message.]
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
>>
>>iQA/AwUBOO4QcD1j58pgs53KEQJ+OgCfTeXSwXPRnG8NStC1b8T2Oj/AK+gAn0HS
>>H53shIGtPiuKXBATV6YczM6c
>>=TkP0
>>-----END PGP SIGNATURE-----
>>-
>>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>>"unsubscribe firewalls" in the body of the message.]
>>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
