In a previous blog post I talked about account lockout tools… and quite rightly it was pointed out by Drew that one potential drawback is that people can us the lockout feature as a denial of service (DoS) attack. When you decide on your password policies, part of the job is to weigh up the pros and cons about the various features (complex passwords, account lockouts, expiring passwords etc) and work out what is best for you.
Bill Gates was recently stated at the IT Forum conference in Copenhagen as saying that Smart cards and 64-bit computing are the future of IT (an article can be found here). Does this mean that the password is dead?
Drew’s point brings up the question of how complex should you make your passwords, so that if you are not using account lockouts, what can you do to help prevent people from brute forcing your passwords. One suggestion is the use of pass phrases. For those of you that aren’t familiar with pass phrases, the main differences between a pass word and phrase are the length (the pass phrases tend to be much longer) and that phrases often contain spaces. For example:
A password might be; P@ssw0rd!
A passphrase might be; This is a long and complex pass phrase
The brute force tools tend to struggle with longer passwords. More characters mean more possible combinations.Be aware that some tools are database driven and may contain specific combinations of words and characters so using the phrase ‘this is my password’ or the golden oldy ‘let me in’ might not be such a good idea.. You may laught but over the years I have come across many such examples of ‘clever’ passwords that have merrily (and quickly) fallen foul of the brute force tools.
I found a really useful set of articles I suggest you read in the security section of TechNet by Jesper M. Johansson, Ph.D., ISSAP, CISSP Security Program Manager, Microsoft Corporation:
Otherwise, I would really like to find out from you ho much you know about what is available on TechNet. Many people I speak to just do not know that articles like this and even the TechNet Flash and Security newsletters are available. In fact I will do a blog posting on it now!