Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS Employee Calls for No More Passwords

Posted by Zonk on from the wise-man-in-a-unique-position dept.

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

3 of 614 comments (clear)

  1. Eh by Quiet_Desperation · · Score: 0, Redundant
    This sounds really annoying.

    Can't we just shoot the crackers?

  2. Re:Offer Void on pre-2000 MS operating systems. by horza · · Score: 0, Redundant

    One thing I just read in my MCSE study book... Windows 2000 and up support 127-character passwords, but Windows NT, Windows 9x and Windows ME only support 14-characters in a password. A user who has a Windows password greater than 14 characters simply cannot using the older operating systems even if they otherwise should be able to.

    Does Windows 2000 really support 127-character passwords? Or allow you to enter passwords 127 characters in length? Many operating systems allow you to enter a large number of characters but only use the first x characters. When it comes down to it, the encryption algorithm will use a certain keylength measured in a number of bits. The standard AES key is between 128 and 256 bits long (equivalent of 16 and 32 bytes). Whatever password/passphrase you enter will have to map onto this fixed number of bits. A hash of a longer passphrase appears more secure but not necessarily as much as you would think, as grammer follows pretty strict rules hence vulnerable to crypto-analysis. In addition, each step you add to create that mapping risks introducing an implementation-related vulnerability.

    Personally, as a compromise between a dictionary-attack vulnerable password and an unfeasably long password to type I do the following: I take a sentence and use the first letter of each word. I end up with a completely random set of characters. There is no chance I can forget and get locked out, even if it's awkward to type for the first week or two. After a short while I can type it without even thinking.

    Phillip.

    --
    Property for sale in Nice, France
  3. Re:Biometrics by agentxy · · Score: 1, Redundant

    It's generally accepted that there are three systems for authentication. Something you know (knowledge based authentication), Something you have (Token based authentication), and Something you are (Biometric based authentication). Each type of authentication has its strengths and weaknesses. An example of a few strengths and weaknesses are:

    Knowledge based: A user can forget the "secret".
    Token based: Token can be stolen or lost.
    Biometric based: User cannot obtain a replacement if the original is compromised.

    It's also generally accepted that a combination of different authentication methods is strongest (but not necessarily the most useable/ convenient)

    Although each authentication system is unique in the way it provides authentication, all have the same fundamental weakness.... reliance on fallible human beings.

    I chose passphrases as my Masters Thesis topic (hpu.edu) and was amazed (and in some cases, shocked) regarding some of the research I came across!