An interesting conversation with some great advice, but a few real shockers as I read through! Most of the points have been challenged by others, so I won't re-hash (sorry, irresistible pun!!), but let's just say a big +1 to the inpractability of RTs containing all extended characters for any relevant lengths. I'd also highlight the danger of casual letter substitution making decent passwords - hybrid attacks defeat these so easily, it's not funny. Check out the admin password in the DigiNotar attack (obvious for other reasons too, but the point stands).
I would suggest to the OP that password cracking, in the traditional brute force sense, is a very specialised area. It's not an efficient attack and is generally quite limited and specific (eg. I stole something, I know it's unsalted legacy crap, it's worth a load of cash and I'm going to spend some time on this). In an AD environment, none of us use un-salted passwords, right?? Pass-the-hash is a much more relevant attack. Or stealing that Excel sheet with all the passwords in it. Or social engineering. For online services, you get locked out and an attacker isn't likely to get hold of the authentication DB from Gmail/Amazon/eBay, etc. - if they are, bigger worries are at play. Let's keep it simple - most passwords are compromised by keystroke loggers. Most of this is a result of Trojans. Introduce the concepts of never ever trusting public machines (one time login is available on some services if you really must), plain-text over public wi-fi, Firesheep, etc. For home machines, local admin, lack of AV and lack of patches constitute the huge majority of compromises resulting in issues like password theft. This is often via phishing, spam, dodgy social media links, kids downloading every game/demo in sight and so on. Simple or guessable passwords are an issue. Taking "reasonable" precautions puts you a loooong way above the bar. Football players, clubs, childrens' names, etc. result in compromise on a regular basis. Does using extended ASCII protect you further than just using a sensible password (eg. Fru1tlegsSmell!)? No, not in 99.999% of real life scenarios. Scientifically, yes, of course! a -----Original Message----- From: Crawford, Scott [mailto:[email protected]] Sent: 10 September 2011 23:31 To: NT System Admin Issues Subject: RE: password questions I tend to agree with what I think you're saying. But, the original question was whether adding an alt-char to your password would make you safer and/or your password harder to crack. I think the answer to this is "absolutely". -----Original Message----- From: Steve Kradel [mailto:[email protected]] Sent: Saturday, September 10, 2011 3:00 PM To: NT System Admin Issues Subject: Re: password questions IMO all this business about rainbow tables for finding hash value collisions is, or will soon be, highly obsolete. A properly designed password system should use both (a) enough salt bits to render rainbow tables impractical, and (b) a computationally expensive, variable workload hashing algorithm. If your password-based security system doesn't do this, or have some other safeguard like lockout windows, it is just straight-up weak. Now, whether you are writing a program to try to break into an account through the front door (regular credential challenge) or back door (find a collision on a swiped hash)... Are you going to iterate exhaustively through the entire Unicode BMP, or are you going to start with a list of the 1,000,000 most common passwords and various permutations based on what you know about the account owner's culture? Bearing in mind there are thousands upon thousands of valid characters, and each additional character you decide to include in your brute force break-in attempt dramatically increases your time and cost... going for "total coverage" is almost certainly *not* going to be your strategy. --Steve ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
