Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Employee Calls for No More Passwords

Posted by Zonk on from the wise-man-in-a-unique-position dept.

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

4 of 614 comments (clear)

  1. Re:Biometrics by dexterpexter · · Score: 5, Informative

    Yes. Actually, I did a fair amount of research in biometrics and found that for most systems, you don't even need to make fake fingers or gloves. In fact, many biometric systems will work with simply a black and white photocopy of the person's fingerprint with a heated hand (your own) behind it while its held up to the scanner. It depends on whether is static-based or image-based. Same goes for retina scanners. Some systems can be fooled with a high-quality picture of an eye.

    Even worse, some fingerprint-based biometric sensors that were being toted as secure were able to be broken by simply blowing warm breath on the reader, much like when you go up to a cold, glassy window and fog it with your breath. The biometric sensors, for one reason or another, read the previous fingerprint.

    Again, it all depends on which system is in question, but my research found that most biometric systems were able to be broken, sans bloody, cut-off fingers or jelly replicas. Of course, they are toted as super-secure.

    That is why the fundamental rule for using biometrics for authentication is as follows:
    Biometrics aren't meant to replace passwords/passphrases. They are meant to be used as an added layer of security in addition to the password.

    (As a side note, if you wanted to do more than just get the copy of fingerprints, invite someone out for beer and french fries at the local bar and bring some scotch tape with you. When they are done and leave, take their greasy, finger-print covered glass and apply the scotch tape to it. You will lift the oily fingerprint. Depending on how the system works, you can now use watery ink to get a negative of the fingerprint. Print this onto the old boards they used to hand-make printed circuit boards, etch the board with chemicals, and come out with a fairly 3-D version of the fingerprint. Now, make your standard flat, thin jelly mold and, when set, wrap it on your finger. Viola!)

    --

    *-*-*-*-*-*-*-*
    "We are Linux. Resistance is measured in Ohms."
  2. Re:Offer Void on pre-2000 MS operating systems. by jacksonj04 · · Score: 5, Informative

    I've just tested this on my 2003 Active Directory with an account with a 127 character password. Changing the last character caused the password to be rejected, so unless it uses 126 characters and dumps the last one then it seems to be a true 127 character password.

    Took a bloody age to authenticate though.

    --
    How many people can read hex if only you and dead people can read hex?
  3. absolutely! by dexterpexter · · Score: 5, Informative

    Yep. I first learned about it in my forensics coursework.

    For more information on this, this Google search produced some good sites explaining tihs.

    Also, in just conducting that search, I learned that 2000 and XP is apparently immune from this particular problem, according to this site.

    "With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
    ...
    But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

    With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."

    --

    *-*-*-*-*-*-*-*
    "We are Linux. Resistance is measured in Ohms."
  4. Re: It's no joke! by rush22 · · Score: 5, Informative

    Gummi bears defeat fingerprint sensors