Password Security - Choosing Strong Passwords

While there are various authentication mechanisms available, most people still log on with a user name and password – and most people assume that the longer a password is, the more difficult it will be to break. But it ain’t necessarily so!

Windows 2000, XP, Server 2003 and Vista store user passwords either as a NTLM hash and/or as a LAN Manager (LM) hash. This is necessary in order to achieve backward compatibility with Windows 9x clients which authenticate via LM rather than Kerberos. By default, Windows Vista only saves passwords as an NTLM hash (if you want Vista to save them as a LM hash too, you need to turn on that option), but Windows 2000, XP and Server 2003 all save as both NTML and LM hashes – and LM hashes can be easily cracked.

To calculate a LM hash, the operating system takes a password and:

1. Converts all lowercase characters uppercase;

2. Pads the password with NULL characters until it is exactly 14 characters long;

3. Splits the password into two 7 character chunks;

4. Uses each chunk separately as a DES key to encrypt a specific string; and

5. Concatenates the two cipher texts into a 128-bit string and stores the result.

Consequently, each chunk of a password can be attacked separately and the entire lowercase character set can be ignored. Both of these factors substantially reduce the number of possible character combinations (Wikipedia explain the math) and enable cracker tools such as Ophcrack to break LM hashes extremely quickly.

Additionally, once one chunk of a password has been decoded, an attacker may well be able to guess the second chunk. For example, let’s say that a chap called Gilbert Grape had chosen the password GilbertGrape (not very imaginative, but then the same can be said for the majority of passwords!). This password can actually be broken far more speedily than a strong 7 letter password as, once a cracking tool has decoded the second chunk as being Grape, the attacker will probably be able to guess that the first chunk is Gilbert. Accordingly, the cracking tool has only had to discover 5 of the 12 characters in the password in order for it to be broken.

While many businesses use policy to enforce both password complexity and expiry requirements, this is not necessarily the best option. Why? Simply because users find it extremely difficult to create a password that is both complex and memorable on a monthly basis. Should you enforce such a policy, chances are that your users will be attaching sticky notes to the undersides of their desks and the backs of their monitors to serve as aide memoirs – and that will obviously decrease your security.

So, what exactly is a complex password? How can you tell whether a password is sufficiently complex? And how the heck can you remember your complex passwords? Here's some suggestions that will help make life a little easier:

1. Don’t use complete and unbroken words or names in your passwords; instead, insert characters into each word used. For example, instead of GilbertGrape use G1lb3rt@Gr(a)pe.

2. Use Microsoft’s Password Checker to test the strength of your passwords.

3. Configure Windows not save passwords as LM hashes (see How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases for more information). Note that this may not be practical should a network contain Windows 9x or Mac clients.

4. Don’t enforce both password complexity and frequent expiry. Instead, a strong password policy used in conjunction with, say, a 120 day age limitation may make it easier for ordinary users to create passwords which are both secure and memorable. Remember, password complexity/expiry need not be standard across all users – for example, admin accounts may need to be protected with a more complex password that expires sooner than ordinary user accounts.

5. Educate your users about the importance of their password - making sure, for example, that they understand why it must not be shared with colleagues or written down and stored in an unsecure location - and make sure that they know how to create a strong a password. Also be sure to educate your user about phishing and social engineering scams which may attempt to lure them into disclosing their passwords (Anti-Phishing Phil may help!).

6. The reason that many people do not use strong passwords is that they (understandably) find them hard to remember. A solution such as Atek Secure Password Organizer can help overcome this.

To sum up, the best password is not necessarily one which is complex and frequently changed – rather, it’s a password which is hard to guess or crack, but which can still be easily remembered.