RE: Password complexity question

[Stu Sjouwerman]

We have just come out with a Security Awareness Training doe consumers.
This is from that course (available on Home Shopping Network)
(Rule #5 answers your question.)

Here are Kevin Mitnick’s 10 Rules for Stronger Passwords

 Don’t tell your passwords to anyone! Nobody should ask for your passwords, 
and you should never give your
passwords to anyone.  Normally, tech support does not need your password to get 
into your account, so there’s no
reason for a legitimate tech support person to ever ask for your password.

 Don’t use simple dictionary words, pets’ names, or people’s names for 
passwords.  Avoid easy-to-guess numbers, such
as your age, zip code, birthday, or anniversary.

 Use passwords that are at least 20 characters long.  And do not write them 
down where they can be easily found.

 Create a “pass phrase“ instead of just one word (for example, $3 for the 
pirate hat).  Or think up a few nonsense
words that you can remember easily (for example, Betty was smoking tires and 
playing tuna fish).

 Use a different password for each website.  Do not use simple patterns like 
“password1” “password2”, “password3”
or “amazon4me”, “netflix4me”, “yahoo4me” for different sites – those are too 
easy to guess.

 Change your passwords for sensitive web sites (such as your online banking) 
every 60-90 days.  Do not use easy-toguess patterns when you change them.

 If you think someone may have learned your password, change it immediately.  
Then check the websites where you
use that password for any signs of misuse – starting with your online banking 
site.

 Sometimes websites ask you to enter the answer for a “security question” you 
can use if you forget your password.
Make your answer to the security question just as hard to guess as your 
password.

 If your bank or webmail offers you extra security features, use them!

 Consider using a password manager such as KeePass or Password Safe.  Password 
managers make your Internet use a
lot safer and easier.


From: David Lum [mailto:david@nwea.org]
Sent: Thursday, January 31, 2013 9:17 AM
To: NT System Admin Issues
Subject: Password complexity question

I have seen a few articles on password cracking and using unrelated words, so I 
have a question

Given the “Making complex passwords” section here:
http://www.digitaltrends.com/mobile/crack-this-how-to-pick-strong-passwords-and-keep-them-that-way/

Could you use a fairly simple method to identify what the password is for and 
still have it tough to crack? I’m guessing no, but have to ask

For a twitter account: Twitter1 vodka eagles!
Then for a Facebook account:Facebook2 vodka eagles!
Ebay: Ebay3 vodka eagles!

Then follow that same pattern for the various accounts. While it seems like bad 
practice to include the service name as part of the password I thought I’d ask 
your guys’ opinion. It’s at least better than using the same password for 
everything…or is it?
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Password complexity question

[David Lum]

That's actually the article I read that kicked off my e-mail to you guys, LOL.

-Original Message-
From: Angus Scott-Fleming [mailto:angu...@geoapps.com] 
Sent: Thursday, January 31, 2013 7:36 PM
To: NT System Admin Issues
Subject: Re: Password complexity question

On 31 Jan 2013 at 14:16, David Lum  wrote:

> 
> I have seen a few articles on password cracking and using unrelated words,
> so I have a question Given the "Making complex passwords" section here:
> http://www.digitaltrends.com/mobile/crack-this-how-to-pick-strong-password
> s-and-keep-them -that-way/ Could you use a fairly simple method to
> identify what the password is for and still have it tough to crack? I'm
> guessing no, but have to ask For a twitter account: Twitter1 vodka eagles!
> Then for a Facebook account:Facebook2 vodka eagles! Ebay: Ebay3 vodka
> eagles! Then follow that same pattern for the various accounts. While it
> seems like bad practice to include the service name as part of the
> password I thought I'd ask your guys' opinion. It's at least better than
> using the same password for everything...or is it? 

It is.  But I would recommend using a password manager like LastPass or KeePass 
with one very strong password to access it rather than worry about individual 
passwords and patterns.

FWIW, I came across this earlier today:

More interesting news: passPHRASES aren't more secure, since the 
dictionary attacks now use them as well.

Grammar badness makes cracking harder the long password | Ars Technica

When it comes to long phrases used to defeat recent advances in 
password cracking, bigger isn't necessarily better, particularly when 
the phrases adhere to grammatical rules. ... A team of Ph.D. and grad 
students at Carnegie Mellon University and the Massachusetts 
Institute of Technology have developed an algorithm that targets 
passcodes with a minimum number of 16 characters and built it into 
the freely available John the Ripper cracking program. The result: it 
was much more efficient at cracking passphrases such as 
"abiggerbetter password" or "thecommunistfairy" because they followed 
commonly used grammatical rules-in this case, ordering parts of 
speech in the sequence "determiner, adjective, noun." When tested 
against 1,434 passwords containing 16 or more characters, the 
grammar-aware cracker surpassed other state-of-the-art password 
crackers when the passcodes had grammatical structures, with 10 
percent of the dataset cracked exclusively by the team´s algorithm.  

See:
http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/

One thing I do to mitigate dictionary attacks: m11spelll wuurds wh33n EEYYEE 
yuuse tthheemm iiNn P@@ssww00rdd5znot sure how long the black hats will 
take to add stuff like this ;-) but it's just an arms race.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Password complexity question

[Ben Scott]

On Thu, Jan 31, 2013 at 10:35 PM, Angus Scott-Fleming
 wrote:
> More interesting news: passPHRASES aren't more secure, since the
> dictionary attacks now use them as well.

  Um, the point of passphrases isn't that attackers weren't attacking
them.  The point is to increase the total keyspace while being easier
for people to remember.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Password complexity question

[Angus Scott-Fleming]

On 31 Jan 2013 at 14:16, David Lum  wrote:

> 
> I have seen a few articles on password cracking and using unrelated words,
> so I have a question Given the "Making complex passwords" section here:
> http://www.digitaltrends.com/mobile/crack-this-how-to-pick-strong-password
> s-and-keep-them -that-way/ Could you use a fairly simple method to
> identify what the password is for and still have it tough to crack? I'm
> guessing no, but have to ask For a twitter account: Twitter1 vodka eagles!
> Then for a Facebook account:Facebook2 vodka eagles! Ebay: Ebay3 vodka
> eagles! Then follow that same pattern for the various accounts. While it
> seems like bad practice to include the service name as part of the
> password I thought I'd ask your guys' opinion. It's at least better than
> using the same password for everything...or is it? 

It is.  But I would recommend using a password manager like LastPass or KeePass 
with one very strong password to access it rather than worry about individual 
passwords and patterns.

FWIW, I came across this earlier today:

More interesting news: passPHRASES aren't more secure, since the 
dictionary attacks now use them as well.

Grammar badness makes cracking harder the long password | Ars Technica

When it comes to long phrases used to defeat recent advances in 
password cracking, bigger isn't necessarily better, particularly when 
the phrases adhere to grammatical rules. ... A team of Ph.D. and grad 
students at Carnegie Mellon University and the Massachusetts 
Institute of Technology have developed an algorithm that targets 
passcodes with a minimum number of 16 characters and built it into 
the freely available John the Ripper cracking program. The result: it 
was much more efficient at cracking passphrases such as 
"abiggerbetter password" or "thecommunistfairy" because they followed 
commonly used grammatical rules-in this case, ordering parts of 
speech in the sequence "determiner, adjective, noun." When tested 
against 1,434 passwords containing 16 or more characters, the 
grammar-aware cracker surpassed other state-of-the-art password 
crackers when the passcodes had grammatical structures, with 10 
percent of the dataset cracked exclusively by the team´s algorithm.  

See:
http://arstechnica.com/security/2013/01/grammar-badness-makes-cracking-harder-the-long-password/

One thing I do to mitigate dictionary attacks: m11spelll wuurds wh33n EEYYEE 
yuuse tthheemm iiNn P@@ssww00rdd5znot sure how long the black hats will 
take to add stuff like this ;-) but it's just an arms race.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Password complexity question

[Ben Scott]

On Thu, Jan 31, 2013 at 9:16 AM, David Lum  wrote:
> For a twitter account: Twitter1 vodka eagles!
> Then for a Facebook account:Facebook2 vodka eagles!
>
> Then follow that same pattern for the various accounts. While it seems like
> bad practice to include the service name as part of the password I thought
> I’d ask your guys’ opinion. It’s at least better than using the same
> password for everything…or is it?

  Problem there, once the password is cracked, it's cracked for all
the other services, too.

  I suppose it might stop some unsophisticated, strictly automated
attacks, i.e., someone's got an entire database and is just going
after the low-hanging fruit.

  But ultimately, it's approaching the problem the wrong way, so
you're just going further down the wrong road.  Better to have a
working solution.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Password complexity question

[Ziots, Edward]

Basically if you have enough time and computer power any password can be 
cracked, it makes it only easier with Rainbow Crack and Rainbow tables, where 
all the hashes are pre computed and just need to match. (See Cain and Abel 
tool).

I would use passphases with complexity in them and change it often enough along 
with disable storing of the LM hashes on systems. For systems that need extra 
protection look into 2 factor authentication.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: David Lum [mailto:david@nwea.org]
Sent: Thursday, January 31, 2013 9:17 AM
To: NT System Admin Issues
Subject: Password complexity question

I have seen a few articles on password cracking and using unrelated words, so I 
have a question

Given the "Making complex passwords" section here:
http://www.digitaltrends.com/mobile/crack-this-how-to-pick-strong-passwords-and-keep-them-that-way/

Could you use a fairly simple method to identify what the password is for and 
still have it tough to crack? I'm guessing no, but have to ask

For a twitter account: Twitter1 vodka eagles!
Then for a Facebook account:Facebook2 vodka eagles!
Ebay: Ebay3 vodka eagles!

Then follow that same pattern for the various accounts. While it seems like bad 
practice to include the service name as part of the password I thought I'd ask 
your guys' opinion. It's at least better than using the same password for 
everything...or is it?
David Lum
Sr. Systems Engineer // NWEATM
Office 503.548.5229 // Cell (voice/text) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com>
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin<>