The following series of articles on passwords vs. pass phrases by Jesper also discusses this: http://www.microsoft.com/technet/community/columns/secmgmt/sm1104.mspx
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, April 03, 2006 9:06 PM To: [email protected] Subject: Re: [ActiveDir] How Secure is a Domain Controller? Sorry one more thing.. in a Center for Internet Security project to set Baseline Operational Security Standards for protecting sensititive data (both PII and business confidential)... they are actually leaning strongly towards recommending two factor authentication and not just passwords and a protection factor. When LC5 was still around (before Symantec killed it) cracking 7 or less character passwords on a network with lanmanhashes enabled ... those got broken pretty quickly. 14 characters breaks the lanmanhash setting. Ergo the recommendaton for long passphases for admin accounts (and Joe has stated that they lock up the 500 accounts and make those pass phrases even longer than that) Someone stated today that maybe we need to consider a password policy that does not require a change out of every 90 days as that does tend to make the person weaken a password or reuse something. If instead they used a long and nasty passphrase and only changed it once a year.. would that actually be less risk than one changed more often? Food for thought. Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: > The Magical Number Seven: > http://www.well.com/user/smalin/miller.html > > Protecting your Windows Network, Dr. Jesper Johansson and Steve Riley > site that study regarding the ability of humans to process > information. (Good book btw..entertaining security book) > > > > > Amazon.com: Protect Your Windows Network : From Perimeter to Data > (Microsoft Technology): Books: Jesper M. Johansson,Steve Riley: > http://www.amazon.com/gp/product/0321336437/sr=8-1/qid=1144114723/ref= > pd_bbs_1/103-7946857-8851835?%5Fencoding=UTF8 > > > > > Al Mulnick wrote: > >> I'd be very interested to see the technical data that backs that up >> (not you Neil, but the folks from Microsoft that make that claim.) >> >> Is it related to people being able to remember a limited number of >> numbers >> perhaps?(http://www.youramazingbrain.org.uk/yourmemory/digitspan.htm >> ) Or is there some other empirical data that says that passwords with >> greater than 7 characters is likely to be repeated? >> >> Or could it be that somebody at MS is sore that NTLM had to be >> upgraded to beyond two 7 char strings? ;) >> >> Seriously, I see nothing like that here >> http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf or >> here http://www.passwordresearch.com/stats/statindex.html >> >> I think that's a load of bologna to make a suggestion to keep >> passwords to less than 7 characters. If anything, there's no reason >> not to make them longer as the more characters that have to be >> guessed, the harder it becomes to brute-force hack them (assuming >> that passwords are not stored as two 7 char strings, right?) That >> allows the system to be even more useful because you can then extend >> the attempts prior to lockout making the system more useful to the >> end user. >> In the end, there are some assertions that passwords by themselves >> are coming to the end of their useful life. Hmm.. Maybe. But I think >> coupled with good lockout policies, strong passwords mean we can >> mitigate the risks for most situations. Not forever of course. >> >> I'd love to see some of that data that shows that users repeat after >> 7 characters if anyone has it. >> Al >> >> >> >> Just for fun: >> http://plus.maths.org/issue31/features/eastaway/index-gifd.html >> >> On 3/6/06, [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>* <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> > wrote: >> >> The use of >20 char passwords caught my eye. >> In previous discussions with MS et al, it was suggested that >> the >> majority of users would simply repeat a (at most ( 7 char password >> n times, so as to meet the 20+ char pw policy requirement. >> As a result, I have heard it suggested that in reality (not >> theory) a pw policy of more than 7 chars is actually counter >> productive. [Any pw policy with a multiple of 7 chars being most >> counter productive.] >> Food for thought, >> neil >> >> >> ------------------------------------------------------------------------ >> *From:* [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> [mailto: >> [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>] *On Behalf Of *Ulf B. >> Simon-Weidner >> *Sent:* 05 March 2006 08:35 >> >> *To:* [email protected] >> <mailto:[email protected]> >> *Subject:* RE: [ActiveDir] How Secure is a Domain Controller? >> >> I've written down some related thoughts once: >> >> http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.asp >> x >> >> Gruesse - Sincerely, >> >> Ulf B. Simon-Weidner >> >> MVP-Book "Windows XP - Die Expertentipps": >> http://tinyurl.com/44zcz >> Weblog: http://msmvps.org/UlfBSimonWeidner >> <http://msmvps.org/UlfBSimonWeidner> >> Website: _http://www.windowsserverfaq.org_ >> <http://www.windowsserverfaq.org/> >> Profile: >> http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811D >> >> >> >> ------------------------------------------------------------------------ >> *From:* [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> [mailto: >> [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>] *On Behalf Of >> *Edwin >> *Sent:* Sunday, March 05, 2006 4:17 AM >> *To:* [email protected] >> <mailto:[email protected]> >> *Subject:* [ActiveDir] How Secure is a Domain Controller? >> >> >> How Secure is a Domain Controller that is fully patched on a >> default install of Windows 2003? When promoted the domain >> controller has the two default policies, both of which are >> recommended not to be modified. But there are things that could >> be done better for added security. For example, NTLMv2 refuse >> NTLM and LM. Is it common practice to add additional GPO's to the >> DC OU? Or is DC protected enough to where all that is needed to >> worry about are the member machines? >> >> >> If adding additional GPO's to the DC OU, is there anything that >> should definitely be avoided? >> >> >> Edwin >> >> PLEASE READ: The information contained in this email is >> confidential and >> intended for the named recipient(s) only. If you are not an intended >> recipient of this email please notify the sender immediately and >> delete your >> copy from your system. You must not copy, distribute or take any >> further >> action in reliance on it. Email is not a secure method of >> communication and >> Nomura International plc ('NIplc') will not, to the extent >> permitted by law, >> accept responsibility or liability for (a) the accuracy or >> completeness of, >> or (b) the presence of any virus, worm or similar malicious or >> disabling >> code in, this message or any attachment(s) to it. If verification >> of this >> email is sought then please request a hard copy. Unless otherwise >> stated >> this email: (1) is not, and should not be treated or relied upon as, >> investment research; (2) contains views or opinions that are >> solely those of >> the author and do not necessarily represent those of NIplc; (3) is >> intended >> for informational purposes only and is not a recommendation, >> solicitation or >> offer to buy or sell securities or related financial instruments. >> NIplc >> does not provide investment services to private customers. >> Authorised and >> regulated by the Financial Services Authority. Registered in England >> no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St >> Martin's-le-Grand, >> London, EC1A 4NP. A member of the Nomura group of companies. >> >> > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
