Slashdot Mirror
MS Employee Calls for No More Passwords
BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."
The amount of times I type in my passwords each day, it would be frustrating to take even more time out of my day to type these "pass phrases" in.
What we really need is more biometrics.
Yet another attempt by Microsoft to force people to upgrade to the latest version of Windows.
You know, even I'm not sure if I'm kidding.
Vanya's Law: "In any culture without irony, fart jokes will be the highest form of humor."
something you have, something you are, something you know
Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.
This won't solve the problem of possible data interception when talking about remote
authentication--but every form of authentication is prone to such attacks when transmitted.
No it isn't, because if you use a salted hash (chosen by the server), you can't just replay the traffic.
Once someone gets a copy of your fingerprint or retina, your credit card is comprimised for life. You can't change you biometrics, which is why they are a total joke.
Would you leave you passphrase written down on every nearby surface?
Becuase your fingerprints will be all over unless you wear gloves all the time.
Other body parts aren't quite this extreame but still have similar weaknesses.
Even the non-lazy wouldn't be happy about long passphrases. At work, I lock my screen whenever I leave the desk, and the password protected screen saver timeout is 5 minutes in case I forget. Would I be willing to do this if I had to type out 40 characters to get back into my machine? Hell no, I'd get a Homer-Simpson-like pecking bird to keep the keyboard active while I'm gone, resulting in less security. Although I understand what this guy is saying, the idea of super long pass phrases is a non-starter in any real world environment.
Anyway, believe it or not, "ancient Unix systems" didn't use the same password machinery as what's in your Linux distribution.
What I'm listening to now on Pandora...
- the key could get lost? Can't say I like the idea of having to bring the user a new USB key each time he forgets it. - the key could get stolen? - the lazy users would keep the key in a drawer next to their PC?
1) it's just as easy (give or take the odd case where you're just able to sample a few bytes) to sniff a passphrase as a password
2) if most people's passphrases are made of dictionary words take from their active vocabularies, dictionary attacks are still very possible. If we figure a typical vocabulary of 25000 words and a six-word phase, hmmm, some quick math indicates we're in the range of a 14-character random alphanumeric+punctunation password -- not too bad. (Especially if you grant people bigger vocabularies....) But, suddenly, we're open to language-based attacks -- there's probably thesis project in here for someone to come up with good algorithms to narrow down the required attack dictionary.
Invent some source code static and dynamic analysis tools that help improve software quality as relates to security.
Passwords matter NOT AT ALL when you can just send a packet and get full admin access without any authentication step.
Who the hell else is better suited to innovate on security than Microsoft? We are to believe that they have 50,000 geniuses working there on groundbreaking amazing stuff... and the best thing they can come up with is a Java ripoff and a desktop search doodad? No. There are enough smart people there (or enough funds to create university research projects outside the softie-dome) to wow the world with some kickass new technology based on either genuinely new ideas, or old ideas that needed a lot of refinement to be usable on real code.
I suspect, though, that this is something they're unwilling to do because the design itself is inherently insecure, and securing it would mean breaking 99% of shipping apps. If that's true, it means that Bill's committment to security is just lip service. Please, Microsoft, break apps that use crappy backdoors. XP SP2 broke stuff to improve security, and that was the right decision. Apple had to do something similar with the Carbon transition (breaking old apps that correctly used well documented but ill-concieved APIs from the pre-OS X days). Microsoft could provide tools to help ISVs be compatible with a Longhorn "clean API" that doesn't let apps use deprecated, unsafe features from the bad old days of not caring about security.
Of course, they won't.
turning it off should be located in some obscure dialog box in some unrelated area
it should randomly set itself back to "remember password" without notifying you
the next upgrade will make it the default and change where it's stored
--
The main obstacle is that if you exceed the (rather low) threshold of inconvenience that the bulk of users (who, after all, just want to do their jobs) will tolerate, they will simply eliminate the security altogether. Post-It notes work wonders in that regard.
... he walked me over to the nearest unused terminal, pressed "F12" and the terminal spit out a macro that instantly blew past all the login pages and dropped right into the main menu. At least they had had some security before ... now they had none. Plus which the programmers had assigned individual macro keys for all the programs that had had access passwords assigned.
Let me give you an example of how excessive security requirements can do this. Quite a few years ago, I was doing some contract programming for a local university/teaching hospital. I was working with one of their mainframe programmers, and he told me what happened after Arthur Anderson did a security audit on their terminal users (I told you this was a while ago.) Anyway, the auditors determined that the password scheme in use was woefully inadequate, and insisted that three layers of password screens be implemented just to log in, with additional passwords for the major applications. I said that seemed kind of ridiculous. So did this guy
Ultimately, one has to accept that security is only as good as the people that use it. You can demand all the passwords, passphrases and crap that you want, but if you get in the way of users doing their jobs they will find a way to get around it.
That, of course, is the appeal of biometrics, that the individual user's intolerance of inconvenience is theoretically irrelevant. However, the major problem with biometric ID is that its the kind of technology that makes administrators and security personnel lazy. Even if it works most of the time, you still shouldn't depend upon a single line of defense, but that's exactly what will happen.
The higher the technology, the sharper that two-edged sword.
it doesn't matter if it's extremely hard. if it's at all possible people will go to any lenghts to do it.
If you mod me down, I will become more powerful than you can imagine....
I think biometrics used in compliment to passwords/passphrases or whatever are a much better security system, especially for credit cards or something of the like. That means that even if they get two of your credit card, your password, and your fingerprint, then they would still need to get the third before they could have access. The chances of someone getting all three without something really dirty is quite slim.
And if someone does get all three you can always change your password and they have to get that again.
Yes, but there are phrases that are easily remembered yet are apocryphal even to those to whom they mean something. For instance "Dr. Lovibond and the frothy nipple of love" would probably mean nothing to anyone but myself and the one person that I was brewing beer with that day. On the other hand, he could shout "What's your passphrase?" across a crowded room,I could shout back "The frothy nipple band!", and I'd still defy anyone to guess what the passphrase was.
What does this button do...
Why would I want to do it so complicated? I can record the binary data representing your fingerprint and use that. Replay attacks have been around for ages.
I only need a physical representation of your biometric data if one assumes that the system with Analog to Digital Converters and all won't be compromised. What a silly idea. Every security system which is based on control over the equipment failes sooner or later.
I type the equal of thousands of sentences each day.
I'm not convinced that biometrics are much better than getting a tatoo of your password.
subject - verb - object
(I like pizza).
Here's another:
adverb/adjective - object - verb
(Mean people suck).
The trick is finding the most common 3 word phrases (in English) and applying the basic grammatical rules you learned in school.
That guy didn't understand that passphrases/passwords are covered in cryptology under "authentication".
And any student of cryptology can tell you that PATTERNS are the problem.
With passphrases, there are too many GRAMMATICAL RULES and PATTERNS that make it simple to crack.
He focuses solely on the number of characters and never looks at how someone else would approach this to crack it.
Great, now what happens when I need to log into a remote server? I currently live in Colorado and have access to machines in Wisconsin and Alberta, and the great security of fingerprint biometrics aside, my arms just aren't that long. And if that remote machine will accept data from a reader at my own machine, well, that reader is vulnerable to tampering and outside their control, and we're back where we started.
At some point, we HAVE to realize that we just can't have some type of perfect security. Like a real safe or vault, someone determined enough to get in WILL get in. However, the better the security, the more chance that you will catch them in the act and prevent it, or deter the would-be attacker in the first place. This is the true goal of security.
Biometric security measures, in my opinion, would be too intrusive and unwieldy for use at the desktop level. If I want to let my friend Bob use my machine, I can give him my password, but I cannot hand him my retina. Of course, for ultrasensitive applications (bank vaults, national security information, nuclear power facilities) it would be an excellent alternative to the current cards and such which can be stolen.
As to the passphrase idea, it's not -terribly- hard to remember multiple phrases. And you don't need a different one for each site you visit-four or five different ones are sufficient for most people. And it's a lot harder for a would-be cracker to guess that your passphrase is "My daughter threw cake at the dog on her second birthday" then it is to look up your kid's date of birth.
To fight the war on terror, stop being afraid.
Perhaps I'm too sleepy to think (I'm too sleepy to read the article), but precisely what is the difference?
.5 * 36^8 or 1,410,554,953,728 guesses.
.5*10000^3 = 500,000,000,000 guesses.
A password is a string you know, a passphrase is a string you know.
One is probably longer than the other, big deal.
There IS no worthwhile difference.
One may be longer than the other, but the longer the passwhatever is, the more likely I am to use dictionary words.
The REAL solution is to use passwords properly, and to protect anything else with strong encryption.
When is it safe to use passwords?
When you are sure you can limit the number of attempts.
If you are not sure you can do this, you should be using one of the myriad of cryptographically secure protocols are developed and in use by people who actually care and have devoted their lives to studying this sort of thing.
THIS MEANS USING A KEY THAT IS NOT MADE UP OF DICTIONARY WORDS! (And is long enough to be considered secure.)
The password vy6d89jt is going to take, on avereage
The passphrase ethernetwarriormagical is going to use words from probably the 10,000 most common dictionary words so it's going to take on average
So while you think you're more secure by requiring your employees to type an extra 14 characters, you're acutally just wasting time and are actually LESS SECURE than before.
Now the real killer is that my analysis of the "passphrase" used something that didn't totally follow the rules of english syntax. Using an actual senctance is going to be even worse because an attacker is only going to have to check for sentenaces that make sense.
Life is too short to proofread.
You're thinking the only way to fool the detector is to actually have your retina (or an exact copy of it). What if somebody finds a flaw in the detector itself that they can fool it with a glass eye? Or other things yet to be thought of?
"Ignorance more frequently begets confidence than does knowledge"
- Charles Darwin
Is systems with RSA keys that you swipe at the terminal, loads up your desktop (these are thin clients) and all applications necessary to do your job. It also lets you into everything you're authorized to access. This seems to be pretty secure IMO with the onus on the users to maintain physical security of their passcards and the company to make sure those who enter the building are who they are.
Another problem with token based security is that they can physically break. Ever break a key off in a lock? That sucks. RFID is subject to being fried under certain circumstances, etc etc.
I suppose for really high security things you might want to include "someone that knows you." Such as the two people who need to turn a key or whatever for arming "the bomb." Although I guess it wouldn't be much of a stretch for me to include this in biometrics.
Yeah... there is no way to create perfect security. Just ways to make it harder for someone to defeat the security.
As long as I'm ranting... isn't passwords (or any "something you know" type security) just a form of security through obscurity???
I've helped implement a biometric system for time-keeping. I've also worked in very, very secure environments.
There are two definite (and related) advantages to biometric systems.
One -- the bar to "unauthorized use of credentials" is raised to a higher level. Which, to a large degree, is what all security is about. If ${large organization of nefarious intent} wants my data, they have the means to get it. Biometrics helps weed out the less well-funded and well-motivated people. It's like me using one-time passwords for SSH access. No, it doesn't prevent someone from entering my house and installing a tiny hardware key-logger in my PC, but it does stop all of those clowns running dictionary attacks.
With biometrics, people can't just rummage around a desk looking for the password post-it. They (as in your case) have to arrange for greasy finger-print covered glasses and scotch tape. Not insurmountable, just a bit more difficult.
Two -- any kind of remotely plausible deniability in the event of a breach is gone. ("Uh, I don't know how it happened. I just happened to have a jelly mold of this guy's fingerprint..."). Unauthorized access to a biometrically controlled system is pretty solid primae faciae evidence that Evil Deeds[TM] are afoot.
Yes, there are problems with biometric authorization. Irrevocability being a very large one. Almost all of the people complaining about biometrics being ineffective -- and almost all of the people touting them as *the* solution to all security problems -- are forgetting one thing.
Security is about the whole organizational process. Total security is enhanced or diminished by the particular method of authentication that you use -- and poor authentication can undermine a lot of the rest of the system. Hackable authentication does not automatically invalidate the rest of the security process. 100% provable authentication does not automatically mean that your system is 100% secure.
Let's look at the example of an anonymous FTP server. There's no authentication. None. However, any sensible person would be running it read-only. It would be jailed or chrooted. IP addresses would be logged for auditing purposes. The partition that the ftp server is serving data from could be mounted noexec. Blah, blah, blah, etc, etc, etc. Here's a case where zero authentication does not mean zero security.
People often talk about biometrics in the context of some theoretical, non-existent system where there is no other security other than this one, initial biometric authentication...and the whole system is either "secure" or "insecure" based on the authentication. Which is just garbage.
Even in the simplest case -- biometric time-keeping -- there are other checks in the system.
Let's assume that worker A and worker B have colluded to provide each other with false handprints. We'll leave out such annoying real-world problems like, "Hey, Bob, why are you clocking in with that jelly-filled hand-on-a-stick ?" and assume that worker A and worker B can at any time just clock in and clock out as each other without anyone noticing.
OK, at the end of the week, Manager M gets a payroll report. Manager M gives it a cursory glance. Uber-manager N gets the same report, and gives it an even more cursory glance. Let's not even talk about Director O -- we know that it's just sitting in her in-box with all of the other reports.
HR Flunkie T runs the weekly "check for discrepancies between scheduled shifts and actual time worked" and sends those to Manager, Uber-Manager and Director. Manager M fires an email back saying, "Hey, no problem." Or perhaps the email says, "Hey, worker A is showing up as having no discrepancies -- I distinctly remember that he was thirty minutes late on Tuesday".
Every month, Auditor X takes a brief look at all of the discrepancies between last month and today and all of the explanations for them. Auditor X looks for any suspicious or unusual patterns -- and the absenc
Actually Miller came up with the (magic) number 7 +/- 2 (5-9) as the average limit if units people can hold in short term memory. Units can be letters or numbers, but also words.
So according to Miller, we should be able to remember a seven word sentence as easily as a seven char password
It's probably even easier to remember the passphrase if we also take into account our ability to conceptualize the contents of a sentence and use some context reinstatement (Ie. have an emotional or sensory association to the phrase). Consider having to remember 'JWSHBDHFGL' compared to 'this is where I need to type my new passphrase'
Although Millers study refers to short term memory, stuff isn't very likely of making it to long-term memory if it's forgotten immediately.
True. They tried this with some fingerprint readers, the comptuer doesn't even sned a CHALLENGE! This means you can record everything the fingerprint scanner sends and then send it again. So what if its encrypted, you dont need to know whats in it.
The problem is that once the system is compromised the person can never use it again. Suppose all I need to access your ATM/debit/bank account is a copy of your iris/retina scan. Once that is compromised you can never use an ATM/debit account again because there is no way to change the authentication. That means if the banking/credit industry switched to an eye scan for authentication and your biometrics were copied YOU CAN NEVER HAVE A BANK ACCOUNT, ATM/DEBIT CARD OR CREDIT CARD FOR THE REST OF YOUR LIFE. That is the problem with using biometrics except in limited cases such as to control access to restricted areas of a building where physical security is present.
it's a lot easier to shoulder surf passwords when they are phrases, instead of random digits.
if I see
Xow XX thX time XXr aXX good meX to XXme to their coXXCCC's Xid, and I'm ken jennings, I can figure it out...
every day http://en.wikipedia.org/wiki/Special:Random
No matter how you slice it, a plain old brute force password cracker (like l0phtcrack) won't be made obsolete by this. It's sort of a trade-off, on one hand the password is longer, on the other hand, the majority of possible characters are going to be from a very short list of 26. Consider these points:
* As some already pointed out, sentences have a regular structure, where certain types of words go in certain places. That's a lot of predictibility. Almost every normal sentence begins with a capital letter... Uh oh.
* Sentences contain lots of spaces. Words in the English language are predominantly constructed of a very small group of letters; US TV viewers would know the normal suspects as those the contestants guess on the last round of Wheel of Fortune. Repetition is bad.
* Sorry, but sentence punctuation doesn't meet my requirements for possible permutations. Most sentences use only a period, and to a lesser extent, an apostrophe and maybe a comma. There are 29 non-alpha, non-numerical characters on my keyboard.
* My users have more than just a network logon, and not all of those programs accept long passphrases. There's an added possibility for confusion.
* Users are going to do things like forget which letters are capital (oh please - they're still confused by caps-lock), whether there is a comma in some space or not, and very likely lose their place with a long passphrase if they aren't expert typists. This creates frustration, and when users get frustrated, they do things like leave the machine logged on all day (even when they leave the room). And that creates headaches for me, because it's more likely that someone will sit at a logged-on machine than walk into my locked server room, log on as admin, and get a SAM or shadow-file dump off the server.
I like someone else's suggestion, although I don't recall who it was. Make the user type his new, complex password ten times. If I can memorize 20 complex passwords, my users can memorize one.
Fred
"A fool and his freedom are soon parted"
-RMS
A real life example: a few months ago my debit card was duplicated. I never lost my card, but some store owner somewhere had a hacked machine that captured my card and PIN information. It wasn't a very big deal, because I was able to just get a new card with a new PIN. But if my debit card was tied to me through biometrics, my bank account would be compromised for the rest of my life.
There isn't much of a difference between a ten-character password and a ten-word sentence except that the "character" set is larger, and not really by that much. Let me explain:
;)
The average adult has a vocabulary of about 20k words, and actually uses much less than that on a routine basis. Let's be really generous, though, and assume we are dealing with highly literate people with a vocabulary of, oh say, 65536 words.
What you just implemented is a 16-bit character set, and your ten-word phrase is computationally equivalent to a twenty-character password in the 8-bit extended ASCII set.
You can complicate things by making it case sensitive, but I have a feeling that would be more trouble than it's worth with the average end user, who can't be relied upon to handle consistent capitalization. (Scroll up and down through the comments for pertinent examples.)
But it actually gets worse than this. Whereas a ten-character password consisting of random characters has no internal structure, natural language phrases and sentences do. Consequently, if you want to build a brute force password cracker for phrase-based passwords, you can save yourself a lot of time by checking the set of grammatically correct phrases first. After all, "now is the time for all good men to come to the aid of their party" is a lot more likely to be someone's passphrase than "sniffle upchuck defenestrate furry therefore pretense macro recoil lemon beyond". It's no objection to say that a formal grammar for English won't match everyday use; you can just use something like the SEQUITUR algorithm to build an approximate real-world English grammar from Usenet postings, the Wikipedia database, or Google.
In other words, all this extra effort accomplished was to convert a ten-character password into something a bit less secure than a twenty-character password. Or, in the real world, where end users will be using things like five word passphrases, you get something roughly equivalent to a three-character password.
That this idea was proposed in the first place is a perfect example of mistaking data for its representation.
Proud member of the Weirdo-American community.
...too difficult to remember multiple passphrases. Second, it's difficult to remember passphrases! Phone numbers (In the US, at least) are limited to 10 digits because research shows the average person can only memorize 10 digits,
Remembering a string of numbers is a lot different than remembering a line of poetry, or a bit of dialogue from a favorite book, or movie, or the title of a cool song, or.. I could go on and on. For years I've used fairly short passwords of only around 8 characters, but they never spell anything, have upper- and lower-case and usually some punctuation, and are very easy to remember for me, because they are the first letters of the title or phrase expressing something I like. With the realization that the computing power is out there now to shred through something so short, it will be a simple matter to adopt the habit of fully spelling the entire phrase instead of just abbreviating it.
However, though there seems to be wisdom in long passphrases like this, I think it might also give way to easier guessing from camera data or casual eavesdropping, since an observer would have a greater chance of spotting enough letters to figure out what it must be. Anyone who has done well at home watching Wheel of Fortune should be able to attest to that.
But is a passphrase any harder to brute-force? Given the requirement of easy memorability, most passphrases will be common English (or other language) phrases, or at least follow standard rules of spelling and grammar. Advanced password-searching techniques will use these assumptions to search the key-space very efficiently, despite its increased size.
Limits of human memorization seem to place a cap on the amount randomness contained in a password or phrase. Although a passphrase is longer, the relationships between characters are much more predictable. Entropy remains relatively constant, thus also does susceptibility to brute-force attacks.
My often-spoken number 1 rule of security: If they get to your hardware, you're screwed.
Corollary: If you depend on biometrics for security, you are effectively bringing your hardware to "them", and leaving copies of it everywhere, in the case of fingerprints.
Which is more insecure: Writing your password on a stickie note and leaving it on your monitor; locking your house,
or,
leaving your fingerprints everywhere, and yet depending on them for security.
~Will
sig?
I'm sorry... but did a Microsoft employee just poopoo password security using the argument that rainbow tables make them obsolete? That's absolutely hilarious. Brute forcing of passwords using rainbow tables (e.g., rainbow crack) is only feasible today when passwords aren't salted. Microsoft's LanMan hash system doesn't bother salting (or doing a bunch of other things that would be wise from a security perspective). If Microsoft had bothered to implement a halfway decent password storage system, then their users wouldn't be nearly as susceptible to password cracking as they are today. There's a reason for salts and nonces, people!
By the way, for those of you managing WIndows networks, make sure that you turn off the LanMan hashing system. Disabling this will do a lot to prevent a compromise of one single system in your network from turning into a cascading compromise of everything. N.B., this is only practical when you don't have Win9x-based OSes on your network, but those don't really belong on a corporate network anyway (easier said than done, I know).
All this being said, you have to be careful to not go too far with password security. The bad guys always go for the weakest link in the chain. If the hash and password strength requirements are too difficult to reasonably break through off-line cracking, then the bad guys will just get the passwords through keyboard loggers or inserting trojan shims into your password and authentication systems. After all, grabbing the password hashes is only practical given administrator access, so you have to assume that a bad guy can install a keyboard logger, too.
If you ban passwords in favor of PKI smart cards, biometrics, SecurID, one-time-passwords, or the other really complicated and expensive solutions, you still haven't done a great deal. The folks advocating these systems are either ivory tower types with little foundation in operational reality, or marketing droids trying to sell you something. Once again, assuming a bad guy already has administrator access to a system, he can wait until you authenticate to another system, and then take control. Remember, you are not authenticating to the remote server, you are allowing your workstation to authenticate to it. If you assume a potentially compromised workstation, then your fancy shmancy authentication system that cost you a bundle to implement just became almost as useless as passwords.
If you want to keep the bad guys from stealing or subverting your authentication mechanisms, then you're going to have to prevent the bad guys from getting onto the systems in the first place, including all of the workstations. Looking at yet another monsterous list of critical vulnerabilities released last Tuesday from Microsoft, it's pretty clear to me that Microsoft hasn't done a great deal to prevent successful remote attacks when they sold their software in the first place.
Suppose you are just walking in the streets when someone suddenly shoves a camera to your face and takes a picture. The flashlight blinds you momentarily, so you can't pursue him. He disappears into the crowd with a picture of your retinas in his camera.
What are you going to do ? The picture contains all the data he needs to log into online services as you. You cannot change the password, since you don't have any. In theory, you might be able to burn a distinguishing pattern into your retina with a laser - but, of course, that will negatively impact your vision.
So yes, that's exactly what will happen. Someone will steal your retina (or rather, copy the biometric info that is used to authenticate you) and then all your accounts are 0wned for ever and ever.
Not to mention the privacy concerns - I wouldn't want every online service to be able to link my identity to my real one, would you ?
Biometric identification is an extremely bad idea that will hopefully die the silent death it deserves.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Using passphrases does not add much more entropy, although they may be easier to remember. They are still prone to sniffing, 40chars can easily be packed in a single ethernet frame. Could some one tell Microsoft to use encrypted connections?
Users hate passwords, they hate typing them, and they hate having to remember things. They will always opt for whatever is easy. They will hate you if you set a lower limit of 30 characters, and their passphrase was 28.
Passwords or passphrases - same thing - will be chosen easy the more obstacles you place on the users: Requiring users to change password every three months will leave your systems less secure:
Users will choose easier passwords, and/or they will rotate just two different passwords. No security gained.
Further, in the race with a bruteforce attack, nothing is gained unless you change your password to one that has been tried.
In stead, as the administrator you have a head start in the race with the crackers. Go password cracking and require users to change their password when it has been cracked.
If password is cracked too quickly it should be followed by disiplinary actions as a compromise of security. Ofcourse the users must be informed beforehand of such proceedures.
Just my 5euro-cent contribution...
UNIX used to keep the hashes publicly readable so non-privileged programs could check passwords (xlock), but this was abandoned years ago. On Kerberos, the password hashes are even stored on a separate authentication server.
Technically, the hashing is still done so that a privileged user would not be able to extract another user's password, but as in most machines the privileged user also has full access to everything else (in particular he could intercept the password in transmission) it does not matter much. In practice, when you can get at the authentication hashes you already have full access to the machine.
Also, dictionary attacks can be easily thwarted using the "salt", two bytes of random data that is added to the password before it is encrypted. So each password corresponds to thousands of hashes that you all have to store.
If you do not have the password hashes, the only way to break a password is trial-and-error, and most systems limit password entries to one every few seconds.
Network sniffing attacks are not limited by the length of the password, but by the length and complexity of the encryption keys which are randomly generated. Successful attacks on encrypted communications usually happen when these keys are chosen too short and not randon enough (WEP).
The truth is that even a simple password is relatively secure, and people touting complex password rules do so because they read 10 year old books.
Well, except if you use 20 year old software...