As long as we're eating this type of food...
There is no argument that 2-factor auth is going to be stronger and therefore preferred. To argue it would be extremely difficult.
The assertions in the article are made based on 1950's data. Hmm...
Interesting, but I think he makes his case that 7 is just a coincidence and not a sure limit. Also, he supports the same theory that Dr J puts forth in saying that we "chunk" the data into usable pieces. Is that 7 usable chunks? Maybe. Can that be used to help defeat pass phrases? Yes, I think so.
LM hashes? As I recall, the older method broke the information into 2 x 7 bit "chunks". Result: If you had a password of 8 chars, you really had a password of 7 chars + 1 chars.
Is that significant? Yes because it means you could more easily guess the second 8 (fewer variations) and from that more likely derive the first 7. We introduced the usage of passwords with special characters in the hopes that adding random non-sensical characters with no relation to the words would be harder to crack. It is, but the question remains: is it enough?
I don't see the basis for the 7 character limit on the password in the documents you posted Sussan, the documents that Steve posted, nor in the ones that I posted. I see strong arguments for two-factor auth, but I think we'll start an entire new conversation regarding what two-factor auth really looks like in practice.
In the end, it boils down to this (for me anyway): We as professionals need to understand and mitigate the risks appropriate to the tasks. This is a continuous cycle and shows no end. There is no perfection, only trade-offs and balance to be achieved. Additionally, our vendors (Microsoft in this case) need to provide the tools for us to achieve our goals else risk us finding another vendor that does to accomplish the business requirements.
"The only truly secure machine is a machine that is completely disconnected and encased in a sealed, steel-reinforced concrete bunker with 6ft walls, guarded night and day by trained military experts. Everything else represents trade-offs made between usefulness and security." - ajm
Of course, if it's worth doing, it's worth doing well. I would add the background to the recommendation to use passphrases: only do so if it meets your needs or if you cannot implement two-factor authentication mechanisms.
My thoughts anyway.
Al
On 4/3/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Sorry one more thing.. in a Center for Internet Security project to set
Baseline Operational Security Standards for protecting sensititive data
(both PII and business confidential)... they are actually leaning
strongly towards recommending two factor authentication and not just
passwords and a protection factor.
When LC5 was still around (before Symantec killed it) cracking 7 or less
character passwords on a network with lanmanhashes enabled ... those got
broken pretty quickly. 14 characters breaks the lanmanhash setting.
Ergo the recommendaton for long passphases for admin accounts (and Joe
has stated that they lock up the 500 accounts and make those pass
phrases even longer than that)
Someone stated today that maybe we need to consider a password policy
that does not require a change out of every 90 days as that does tend to
make the person weaken a password or reuse something.
If instead they used a long and nasty passphrase and only changed it
once a year.. would that actually be less risk than one changed more often?
Food for thought.
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> The Magical Number Seven:
> http://www.well.com/user/smalin/miller.html
>
> Protecting your Windows Network, Dr. Jesper Johansson and Steve Riley
> site that study regarding the ability of humans to process
> information. (Good book btw..entertaining security book)
>
>
>
>
> Amazon.com: Protect Your Windows Network : From Perimeter to Data
> (Microsoft Technology): Books: Jesper M. Johansson,Steve Riley:
> http://www.amazon.com/gp/product/0321336437/sr=8-1/qid=1144114723/ref=pd_bbs_1/103-7946857-8851835?%5Fencoding=UTF8
>
>
>
>
> Al Mulnick wrote:
>
>> I'd be very interested to see the technical data that backs that up
>> (not you Neil, but the folks from Microsoft that make that claim.)
>>
>> Is it related to people being able to remember a limited number of
>> numbers
>> perhaps?( http://www.youramazingbrain.org.uk/yourmemory/digitspan.htm
>> ) Or is there some other empirical data that says that passwords with
>> greater than 7 characters is likely to be repeated?
>>
>> Or could it be that somebody at MS is sore that NTLM had to be
>> upgraded to beyond two 7 char strings? ;)
>>
>> Seriously, I see nothing like that here
>> http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf or
>> here http://www.passwordresearch.com/stats/statindex.html
>>
>> I think that's a load of bologna to make a suggestion to keep
>> passwords to less than 7 characters. If anything, there's no reason
>> not to make them longer as the more characters that have to be
>> guessed, the harder it becomes to brute-force hack them (assuming
>> that passwords are not stored as two 7 char strings, right?) That
>> allows the system to be even more useful because you can then extend
>> the attempts prior to lockout making the system more useful to the
>> end user.
>> In the end, there are some assertions that passwords by themselves
>> are coming to the end of their useful life. Hmm.. Maybe. But I think
>> coupled with good lockout policies, strong passwords mean we can
>> mitigate the risks for most situations. Not forever of course.
>>
>> I'd love to see some of that data that shows that users repeat after
>> 7 characters if anyone has it.
>> Al
>>
>>
>>
>> Just for fun:
>> http://plus.maths.org/issue31/features/eastaway/index-gifd.html
>>
>> On 3/6/06, *[EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]>* < [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]> > wrote:
>>
>> The use of >20 char passwords caught my eye.
>> In previous discussions with MS et al, it was suggested that
>> the
>> majority of users would simply repeat a (at most ( 7 char password
>> n times, so as to meet the 20+ char pw policy requirement.
>> As a result, I have heard it suggested that in reality (not
>> theory) a pw policy of more than 7 chars is actually counter
>> productive. [Any pw policy with a multiple of 7 chars being most
>> counter productive.]
>> Food for thought,
>> neil
>>
>>
>> ------------------------------------------------------------------------
>> *From:* [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]> [mailto:
>> [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED] >] *On Behalf Of *Ulf B.
>> Simon-Weidner
>> *Sent:* 05 March 2006 08:35
>>
>> *To:* [email protected]
>> <mailto:[email protected]>
>> *Subject:* RE: [ActiveDir] How Secure is a Domain Controller?
>>
>> I've written down some related thoughts once:
>>
>> http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx
>>
>> Gruesse - Sincerely,
>>
>> Ulf B. Simon-Weidner
>>
>> MVP-Book "Windows XP - Die Expertentipps":
>> http://tinyurl.com/44zcz
>> Weblog: http://msmvps.org/UlfBSimonWeidner
>> <http://msmvps.org/UlfBSimonWeidner>
>> Website: _http://www.windowsserverfaq.org_
>> <http://www.windowsserverfaq.org/>
>> Profile:
>> http://mvp.support.microsoft.com/profile="">
>>
>>
>>
>> ------------------------------------------------------------------------
>> *From:* [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED]> [mailto:
>> [EMAIL PROTECTED]
>> <mailto:[EMAIL PROTECTED] >] *On Behalf Of
>> *Edwin
>> *Sent:* Sunday, March 05, 2006 4:17 AM
>> *To:* [email protected]
>> <mailto: [email protected]>
>> *Subject:* [ActiveDir] How Secure is a Domain Controller?
>>
>>
>> How Secure is a Domain Controller that is fully patched on a
>> default install of Windows 2003? When promoted the domain
>> controller has the two default policies, both of which are
>> recommended not to be modified. But there are things that could
>> be done better for added security. For example, NTLMv2 refuse
>> NTLM and LM. Is it common practice to add additional GPO's to the
>> DC OU? Or is DC protected enough to where all that is needed to
>> worry about are the member machines?
>>
>>
>> If adding additional GPO's to the DC OU, is there anything that
>> should definitely be avoided?
>>
>>
>> Edwin
>>
>> PLEASE READ: The information contained in this email is
>> confidential and
>> intended for the named recipient(s) only. If you are not an intended
>> recipient of this email please notify the sender immediately and
>> delete your
>> copy from your system. You must not copy, distribute or take any
>> further
>> action in reliance on it. Email is not a secure method of
>> communication and
>> Nomura International plc ('NIplc') will not, to the extent
>> permitted by law,
>> accept responsibility or liability for (a) the accuracy or
>> completeness of,
>> or (b) the presence of any virus, worm or similar malicious or
>> disabling
>> code in, this message or any attachment(s) to it. If verification
>> of this
>> email is sought then please request a hard copy. Unless otherwise
>> stated
>> this email: (1) is not, and should not be treated or relied upon as,
>> investment research; (2) contains views or opinions that are
>> solely those of
>> the author and do not necessarily represent those of NIplc; (3) is
>> intended
>> for informational purposes only and is not a recommendation,
>> solicitation or
>> offer to buy or sell securities or related financial instruments.
>> NIplc
>> does not provide investment services to private customers.
>> Authorised and
>> regulated by the Financial Services Authority. Registered in England
>> no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St
>> Martin's-le-Grand,
>> London, EC1A 4NP. A member of the Nomura group of companies.
>>
>>
>
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
