Security UPDATE--Passphrases vs. Passwords--October 27, 2004

Learn why passphrases might be more secure than passwords. Find out about the latest security news, features, blog entries, FAQs, and forum threads.

ITPro Today

October 26, 2004

11 Min Read
ITPro Today logo in a gray background | ITPro Today

To receive Security UPDATE in HTML format in the near future, click the following link

http://www.windowsitpro.com/HTML/Index.cfm?NewsletterID=2&email=#emailaddr#

You need to sign up only once--no need to click each week.

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.

===============

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE. Free Patch Management White Paper from St. Bernard Software http://www.windowsitpro.com/whitepapers/stbernard/patchmanagement/index.cfm?code=1027sec_P Free Solution Brief: Security Protection Strategies for NT4 Devices http://www.windowsitpro.com/whitepapers/eeye/protectionstrategies/index.cfm?code=1027sec_s

==========

==========

==== Sponsor: St. Bernard Software ==== Free Patch Management White Paper from St. Bernard Software Successful patch management is a core component of maintaining a secure computing environment. With a growing number of patches being released by Microsoft weekly, IT administrators must be vigilant in assuring that the machines on their networks are accurately patched. Although Microsoft offers tools to assist administrators with the tasks of patching, they are often time-consuming and far from comprehensive. However there are solutions on the market that can reliably and accurately automate the tasks involved in successful patch management. In this free white paper, learn more about the patch management dilemma and patch management solutions. Download this free white paper now! http://www.windowsitpro.com/whitepapers/stbernard/patchmanagement/index.cfm?code=1027sec_P

==========

==== 1. In Focus: Passphrases vs. Passwords ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net For a long time, people have argued the need for longer and more complex passwords. The idea behind the argument is that short, simple passwords are far easier to crack than long, complex passwords. Some people even prefer randomly generated passwords, which can be even more difficult to crack because they typically aren't based on some alteration of a known word in a given language. You might already know that Windows 2000 and later allow for a maximum password length of 127 characters. The allowed characters include punctuation, special characters, and even Unicode characters. The reason for the 127-character limit is that the password character array is a set of 256 bytes. Because Unicode characters require two bytes to represent one character, the maximum number of characters that can be stored in the array is 127, or half the size of the array itself. The ability to use 127 characters allows far more complex passwords or passphrases than many of us use. I suppose the only real difference between a password and a passphrase is that a passphrase is a series of words with a space between them, and passphrases might tend to be longer than passwords. Some of you might know of Robert Hensing, who works as a member of Microsoft's Security Incident Response Team. Hensing has a blog (syndicated at the first URL below, unsyndicated at the second URL below), and back in July, he wrote an interesting blog article (at the third URL below) that argues for the use of passphrases instead of passwords. http://weblogs.asp.net/robert_hensing/Rss.aspx http://weblogs.asp.net/robert_hensing/ http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx In his article, Hensing explains why he thinks longer passphrases are superior. Essentially, it's because they take longer to crack. One can precompute a huge set of possible password hashes, then use these to minimize the time necessary to crack a given password. So shorter, single-word passwords are less secure because people can crack them really fast with precomputed hashes and other password-cracking tools. But the hashes of longer passphrases that include a series of words or random character combinations are far more difficult to crack because they require far more time. One premise behind password security is that a password should probably have a life span that's shorter than the time necessary to crack it. That way, the password will have been changed to something else before someone can crack it. Granted, an entity that really wants to know your password can use certain methods, such as distributed computing and super-fast computers, to crack it much faster than the average intruder could, no matter the length. But most intruders probably aren't capable of attaining such resources, so passphrases and short passphrase life spans could keep a large percentage of intruders completely at bay. Thus, they're worth considering. To enforce the use of passphrases, you can establish policies that require a certain minimum number of characters. For example, if you require at least two dozen characters in a password, your computer users might be inclined to think of a phrase, which is of course easier to remember than a long string of characters. If you're interested in the concept, read Hensing's blog article and consider the comments from various readers.

==========

==== Sponsor: eEye Digital Security==== Free Solution Brief: Security Protection Strategies for NT4 Devices Do you have legacy applications running on NT4? Did you know that Microsoft will no longer support the platform with security hot-fixes leaving many organizations without a credible protection strategy? Enterprises worldwide are frequently faced with the task of migrating their critical digital assets to newer, more advanced, platforms as vendors 'sunset' or 'end of life' older platforms and versions. Unfortunately, this upgrade is not always an option for certain market verticals or types of assets within the enterprise. Download this free white paper to learn how to protect the Windows platform without relying on patching. http://www.windowsitpro.com/whitepapers/eeye/protectionstrategies/index.cfm?code=1027sec_s

==========

==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Using WMI Filters with GPOs Most IT pros are familiar with the two most common methods for applying Group Policy: directly on the container (e.g., site, domain, organizational unit--OU, local object) and indirectly through security permission restrictions. In Windows Server 2003, Microsoft added Windows Management Instrumentation (WMI)-filtering capabilities to let you further hone the scope of a Group Policy Object (GPO). WMI filters let you apply a GPO to only certain members of a container that satisfy the criteria that the filter specifies. Jeff Fellinge explains how WMI works in this article on our Web site. http://www.winnetmag.com/Article/ArticleID/44066/44066.html Windows XP Pro x64 Data Protection Features Due in the first half of 2005, Windows XP Professional x64 Edition will include virtually all the features from the 32-bit Windows XP Professional except for the 16-bit subsystem that enables DOS application compatibility and various legacy protocols such as Apple Computer's AppleTalk and NetBEUI. In this article, Paul Thurrott takes a look at the data-protection features in XP Pro x64. http://www.winnetmag.com/Article/ArticleID/44134/44134.html

==========

==== Announcements ==== (from Windows IT Pro and its partners) IT Security Solutions Roadshow--Best Practices for Securing Your Business from McAfee, Microsoft, and RSA Security Join us for this free half-day event that will give you the practical hands-on experience you need to help secure your organization. Take your security to the next level with topics such as antivirus, intrusion prevention, vulnerability discovery, management, and more. Attend and enter to win tickets to a professional sports game. Register now! http://www.windowsitpro.com/roadshows/security/index.cfm?code=1025emailannc Enter to Win a TiVo at the Windows IT Pro eNewsletter Center Did you know Windows IT Pro has 12 free email newsletters to help you find up-to-date, fast information about the topics you care about? Sign up now for any of our email newsletters and be entered for a chance to win a TiVo and a lifetime subscription to TiVo service. http://www.windowsitpro.com/email The Email Security Center--Your First Line of Defense Against Unwanted Email The Email Security Center provides valuable tools and expertise to help secure your messaging services against attacks and unsolicited email. Our experts share the latest trends, guidance, and resources for understanding and blocking spam, viruses, and attacks while saving bandwidth, conserving server capacity, and minimizing administration costs. Sign up today! http://www.windowsitpro.com/emailsecurity/index.cfm?code=1025emailannc New half-day seminar! The Enterprise Alliance Roadshow Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Sign up today. Space is limited. http://www.windowsitpro.com/roadshows/serverconsolidation/index.cfm?code=1025annc

==========

==========

==== Events Central ==== (A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events ) New! Beware the Exchange Strangler: How a Silent Killer Is Taking Names and Bringing Down Email Servers There is a silent killer stalking Exchange Servers in the form of "directory harvest attacks" that steal email directory names and quickly strangle server performance. In this free Web seminar, learn how to stop this "Exchange Strangler" before it can pilfer your email directory names and bring your email system to its knees. Register now! http://www.windowsitpro.com/seminars/directoryharvestattacks/index.cfm?code=1025emailannc

==========

==========

==== Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.windowsitpro.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

===============

This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

http://www.secadministrator.com/rd.cfm?code=00ep254xeb

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like