[Dshield] Password Strength

Chris isc.chris at gmail.com
Mon Oct 18 12:29:23 GMT 2004

Passphrases (the use of a phrase as opposed to a word to provide
verification of identity) are an excellent way to increase the
difficulty in cracking a password for several reasons.

A passphrase is much longer than a password, and therefore more
difficult to crack.

It is much easier for the average user to incorporate  uppercase,
lowercase, numerical and special characters, increasing the difficulty
to crack.

It's much easier for a user to passphrases (My3rdSecretPassphrase!)
than it is secure passwords (P at ssw0rd) so the user is much less likely
to write it down.

I've yet to see a dictionary of passphrases so the attacker is left
with only brute force as a method to crack the password, something
that in the 22 char passphrase above that includes uppercase,
lowercase, numerical and special characters would take quite a while.

If you're running a Windows (Active Directory) environment, to avoid
the issue of longer passwords being as easy or easier to crack than
shorter ones, just make sure that you set
'Do not store LAN Manager has value on next password change'  to enabled.

Some very old apps including any third party app that -needs- a LM
password will fail if that option is set, so be careful.  Also, if you
set that option in a working domain, all users will required to change
thier password on the next login.

That option is available in 2003, and I -believe- it is available in
2000 as well.  I could be wrong though.

On Mon, 18 Oct 2004 11:56:32 +0100, Jorge Fernandes
<jorgefernandes at cmvm.pt> wrote:
> Since we're talking about password length/strength I'd like your opinion
> on Robert Hensing's article:
> "Why you shouldn't be using passwords of any kind on your Windows
> networks . . . ":
> http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
> With the corrections he made on his main page:
> http://blogs.msdn.com/robert_hensing/
> It concerns the use of pass-phrases instead of passwords and I would
> really appreciate your thoughts on the subject.
> Best Regards
> Jorge Fernandes

-- Chris 
We are ready for any unforeseen event that may or may not occur. 
Dan Quayle  9/22/90

More information about the list mailing list