Thanks to all that responded. It is great to get so many perspectives. I appreciate the diversity of opinion here - it's always interesting to see all viewpoints.
Thanks again. Shauna Hensala > Subject: RE: password questions > Date: Mon, 12 Sep 2011 10:31:42 +0100 > From: [email protected] > To: [email protected] > > An interesting conversation with some great advice, but a few real > shockers as I read through! Most of the points have been challenged by > others, so I won't re-hash (sorry, irresistible pun!!), but let's just > say a big +1 to the inpractability of RTs containing all extended > characters for any relevant lengths. I'd also highlight the danger of > casual letter substitution making decent passwords - hybrid attacks > defeat these so easily, it's not funny. Check out the admin password in > the DigiNotar attack (obvious for other reasons too, but the point > stands). > > I would suggest to the OP that password cracking, in the traditional > brute force sense, is a very specialised area. It's not an efficient > attack and is generally quite limited and specific (eg. I stole > something, I know it's unsalted legacy crap, it's worth a load of cash > and I'm going to spend some time on this). In an AD environment, none > of us use un-salted passwords, right?? Pass-the-hash is a much more > relevant attack. Or stealing that Excel sheet with all the passwords in > it. Or social engineering. For online services, you get locked out and > an attacker isn't likely to get hold of the authentication DB from > Gmail/Amazon/eBay, etc. - if they are, bigger worries are at play. > > Let's keep it simple - most passwords are compromised by keystroke > loggers. Most of this is a result of Trojans. Introduce the concepts > of never ever trusting public machines (one time login is available on > some services if you really must), plain-text over public wi-fi, > Firesheep, etc. For home machines, local admin, lack of AV and lack of > patches constitute the huge majority of compromises resulting in issues > like password theft. This is often via phishing, spam, dodgy social > media links, kids downloading every game/demo in sight and so on. > > Simple or guessable passwords are an issue. Taking "reasonable" > precautions puts you a loooong way above the bar. Football players, > clubs, childrens' names, etc. result in compromise on a regular basis. > Does using extended ASCII protect you further than just using a sensible > password (eg. Fru1tlegsSmell!)? No, not in 99.999% of real life > scenarios. Scientifically, yes, of course! > > > > a > -----Original Message----- > From: Crawford, Scott [mailto:[email protected]] > Sent: 10 September 2011 23:31 > To: NT System Admin Issues > Subject: RE: password questions > > I tend to agree with what I think you're saying. But, the original > question was whether adding an alt-char to your password would make you > safer and/or your password harder to crack. I think the answer to this > is "absolutely". > > -----Original Message----- > From: Steve Kradel [mailto:[email protected]] > Sent: Saturday, September 10, 2011 3:00 PM > To: NT System Admin Issues > Subject: Re: password questions > > IMO all this business about rainbow tables for finding hash value > collisions is, or will soon be, highly obsolete. A properly designed > password system should use both (a) enough salt bits to render rainbow > tables impractical, and (b) a computationally expensive, variable > workload hashing algorithm. If your password-based security system > doesn't do this, or have some other safeguard like lockout windows, it > is just straight-up weak. > > Now, whether you are writing a program to try to break into an account > through the front door (regular credential challenge) or back door (find > a collision on a swiped hash)... Are you going to iterate exhaustively > through the entire Unicode BMP, or are you going to start with a list of > the 1,000,000 most common passwords and various permutations based on > what you know about the account owner's culture? > Bearing in mind there are thousands upon thousands of valid characters, > and each additional character you decide to include in your brute force > break-in attempt dramatically increases your time and cost... going for > "total coverage" is almost certainly *not* going to be your strategy. > > --Steve > > ************************************************************************************ > WARNING: > The information in this email and any attachments is confidential and may be > legally privileged. > > If you are not the named addressee, you must not use, copy or disclose this > email (including any attachments) or the information in it save to the named > addressee nor take any action in reliance on it. If you receive this email or > any attachments in error, please notify the sender immediately and then > delete the same and any copies. > > "CLS Services Ltd × Registered in England No 4132704 × Registered Office: > Exchange Tower × One Harbour Exchange Square × London E14 9GE" > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
