Why you shouldn’t be using passwords of any kind on your Windows networks . . .


Edited 10/18/2004:
This blog has gained far more attention than I could have ever imagined when I decided to create a small personal blog devoted to security incident response.  I never imagined my first ever post would be as controversial or as widely published / linked as it has become!

Over the weekend links to this blog post were sent to W2KNews and full-disclosure and I’m getting inundated with questions / comments and requests for the spreadsheet I referred to in my original post.

Given the overwhelming feedback from the readers I have decided to work with the right people internally to get pass-phrases documented in more formal / authoritative guidance up on the Microsoft web site.  As we work to document this guidance I imagine that the spreadsheet I referred to in my original post will be made available as part of that future guidance for all to download.

For official Microsoft guidance on a much wider range of security topics than what you’ll find here, you should visit the following url:  http://www.microsoft.com/security/guidance

In addition, Jesper Johansson has published his first in a 3 part series on the topic of passwords vs. pass-phrases and I strongly encourage you all to give that a read.  Jesper was in fact the person who inspired me to consider pass-phrases and start using them and his column can be found here: http://www.microsoft.com/technet/community/columns/secmgmt/default.mspx

Here was my original post (with some minor technical bugs fixed. <G>):

So this is my first ever blog entry and seeing as how I’m a senior member of the PSS Security Incident Response team, you may think I’ve stopped taking my medication by opening with a title like the one above!  Medication issues notwithstanding, it’s true – you should NOT be using passwords of any kind.  Why?  For starters, passwords are ridiculously easy to guess or crack.  Worms like Agobot / Phatbot / Polybot / SDBot / RBot (no I didn’t write this one) all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they’ve cracked from other systems. 
As an example of what I’m talking about check out Symantec’s write-up of this little nasty that we encounter on my team just about every day:

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.ae.html

Worse still, attackers (either automated or human) don’t even need to GUESS the password.  There are hacking tools a-plenty that will let a miscreant sniff your network traffic to scoop out authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password.  Sure you can protect the network with segmentation, encryption (IPSec etc.) and even 802.1x and I’m a big fan of all of these concepts, but really they just workaround an issue that you still need to address.  The inherent vulnerability in your network which is – the password.

Ignoring the network for a second, what happens if an attacker gains physical access to a machine on your network with elevated priv’s?  Well they can dump all of the password hashes to a .txt file and then through the magic of pre-computation can ‘look up’ the password corresponding to that password hash in *seconds* and they can do this for all hashes they obtain.  Lots of ‘security consultants’ like to terrorize our customers by doing penetration tests, sniffing some network authentication exchanges, cracking the easily determined passwords, then gaining access to a DC, dumping out all of the password hashes and then cracking most if not all of those using rainbow tables and then using that as evidence you should switch to Linux! (bah!)
Pre-computation attacks are a somewhat new and interesting phenomenon we are starting to encounter ‘in the wild’ through chainsaw security consultants.  What they do is they pre-compute all of the possible LM or NT password hashes of a given length with a given character set and burn the pre-computed password-hash-to-password-mappings to DVD.  Heck they can even submit their request to have your password hash reversed back into a password using a web page someone has setup to do the job for you (sorry, not going to give out THAT URL here.) . . . for free!

So with all of these highly successful, highly effective attacks on passwords (dictionary attacks, brute-force attacks, pre-computation attacks) I’ve come to the conclusion that there is simply too much risk associated with passwords and that users of Windows should simply stop using them to avoid this risk.

Problem solved right?

Hopefully by now if your in the security business I’ve managed to get you foaming at the mouth lunatic crazy mad!  How irresponsible is it that I as an incident response specialist for Microsoft could be recommending to our customers and readers that you do NOT use passwords anymore.  As a CISSP I have to admit it does seem to be just cause for revoking my membership, but I of course used this ploy to get your attention and keep you reading. 

“Where is he going with this?“

So here’s the deal – I don’t want you to use passwords, I want you to use pass-PHRASES.  What is a pass-phrase you ask?
Let’s take a look at some of my recent pass-phrases that I’ve used inside Microsoft for my ‘password’.
“If we weren’t all crazy we would go insane“ (Jimmy Buffet rules)
“Send the pain below!“ (I like Chevell too)
“Mean people suck!“ (it’s true)

So why are these pass-phrases so great?
1.  They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don’t HAVE to use numbers to meet password complexity requirements)
2.  They are so freaking easy for me to remember it’s not even funny.  For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember ‘xYaQxrz!’ (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack).  That password would not survive sustained attack with LC5 long enough to matter so in my mind it’s pointless to use a password like that.  You may as well just leave your password blank.
3.  I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).

Fact:  Did you know that Windows 2000 based operating systems support pass-PHRASES of up to 127 characters including spaces, and unicode characters like this –> ?
Fact:  Did you know that even the most effecient form of password cracking (pre-computation using Sarca rainbow tables) breaks down and becomes infeasible for most attackers at around 10 characters (I’ve seen the math to prove it) and at 14 characters or more Excel can’t even display a number big enough to show how long it would take to pre-compute / look-up a 14 character password (so I’m assuming this would safely rule out dedicated government agencies with unlimitted hardware budgets <G>).

Now, looking at my first easy to remember (for me) pass-phrase listed above we see that it’s 42 characters.  I could type that 3 times in a row as my password and still not exceed the buffer allocated for my password in Windows!  So . . . why is this password so great?

1.  It prevents the LM hash from being stored (LM password  hashes are stored by default on all of our operating systems, even WS2003 for backwards compatibility reasons).  The LM hash is no longer cryptographically secure and takes only seconds to crack with most tools.
2.  It’s easy to remember – I don’t have to write it down.
3.  Since it’s 42 characters long it will never be found in a simple word-list and thus can’t be guessed with even the largest dictionary files.
4.  Since it’s 42 characters long, it’s physically impossible to pre-compute the password hash -> password mappings and store them in any reasonably attainable amount of disk space / RAM (I can’t even tell you how many petabytes it would be becuase Excel barfs when I try to make it tell me, it can’t calculate a number that big <G>).
5.  Since it’s 42 characters long it would take an extremely long time to brute-force that back into the original password using all possible number / letter / special character combinations (think of a pre-computation attack as a brute-force attack, only you save the results of all of the brute-force attempts to a database for use in future attacks).

Do you see a pattern here?  Pass-phrase LENGTH, not complexity defeats these attacks.  Short, but complex passwords should be shunned as they are not truly secure anymore and you are deceiving yourself if you think they are.  Long pass-phrases (14 characters or more) are the future (along with 2-factor or more authN, but that’s another blog for another day) and are the only way to go if you want to ensure that you won’t get hacked via any type of password based attack of any kind.

Given how easy it is to remember a sentence as opposed to random numbers and letters strung together and how much more safe it is – why are IT companies still using weak 10 character or less passWORDS that users can’t remember and write down or forget which leads to password theft and helpdesk call volume?  Why aren’t IT companies dictating 20 character password minimums (which all but forces you to use a pass-phrase) and educating users about Windows 2000 and later OS’s 127 character password prowess?  Why aren’t IT companies telling everyone, users and admins alike to use easy to remember sentences and phrases as passwords?

Simple – no one knows this stuff.  This is, unfortunately, one of Microsoft’s best kept secrets (127 character password limit on Windows 2000 and later based OS’s) and we’ve done very little to change the flawed mindset around short passwords.

(Amusing side-note – did you know that Windows 2000 was originally supposed to support 256 character passwords?  Apparently the design spec back in the day called for 256 characters to be supported and the developer dutifully allocated a 256 byte array . . . but they failed to realize that double-byte character sets would need to be supported for far-east languages thus effectively halving the length of the password since it takes 2 bytes to represent each character . . . doh!).

Well the secret is secret no more – the word is out!  Now go change your password policy and do it quickly . . . or you’ll be opening a support incident with my team soon and I’ll be telling you all of this on the phone after I figure out your password policy was easily subverted by an automated worm that copied itself to your server via your exposed admin shares.

Robert Hensing – Microsoft PSS Security Team
E-mail: rhensing@microsoft.com
Personal PGP Key ID: 0x87CEA167
Personal PGP Key Fingerprint: 6533 4075 7E87 9D32 8A10 742D B120 7C68 87CE A167
Team PGP Key ID: 0xEB722C4BTeam PGP Key Fingerprint: 1781 923A 0405 8F6A 31B7 EEFD 9A13 6A28 EB72 2C4B


Comments (81)

  1. Anonymous says:

    From:http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx This blog has gained far more attention than I could have ever imagined when I decided to create a small personal blog devoted to security incident response. I never imagined my first ever post would be as controversial or…

  2. Anonymous says:

    Alec Saunders: This is well worth reading.

  3. Anonymous says:

    Blogginn hans Alfreds &raquo; H&aelig;ttum a&eth; nota lykilor&eth;

  4. Anonymous says:

    I’ve heard Jesper talk about this many times and have used passphrases for a long time myself. The term…

  5. Anonymous says:

    I just read this article on Robert Hensing&#8217;s Microsoft blog that says we should be using passphrases rather than passwords. ie: These are bad (old passwords of mine, they&#8217;re based on phrases so fairly easy to remember): Fots84!kP4 ttsL1HK.g Mt2ltUP:eD…

  6. Anonymous says:

    Aparently passwords are no longer in style. One of our loving friends at Micro$oft posted this blog entry. To sumarize, he says "use passphrases". Aparently Windoze 2k/XP/2k3 all support 127 character ‘passwords’. So instead of one pseudo-random pass

  7. Anonymous says:

    Techie life &raquo; More on passphrases

  8. Anonymous says:

    Why you shouldn’t be using passwords of any kind on your Windows networks . . . is an interesting viewpoint. I am not sure what the limits are for Linux though. Thanks to randomthoughts � Don’t use passwords on your

  9. Anonymous says:

    Perfected &raquo; Blog Archive &raquo; Passphrases over complex passwords?

  10. Anonymous says:

    Ensight – Jeremy C. Wright &raquo; Secure Passwords: Final Version

  11. Anonymous says:

    Robert Hensing from the Microsoft PSS Security Team is trying to propose a new method of accessing systems. Although using a passphrase instead of a password is nothing new it is when we are talking about general access control systems….

  12. Anonymous says:

    Here was me thinking there’d be nothing to blog about…. Just over two weeks ago, I wrote a completely idiotic blog post. Stupid in fact, about how to make simple, secure passwords. Of course, one of my readers showed me my stupidity, and I thank him for it. He advocates passphrases. Well, today an Incident Response Specialist (big head security dude) for Microsoft wrote a fantastic post outlining this in great detail. In his first blog post evah (!!!) Robert Hensing (background available via Google) talks about passphrases in great detail. Some really choice quotes? Worse still, attackers (either automated or human) don’t even need to GUESS the password. There are hacking tools a-plenty that will let a miscreant sniff your network traffic to scoop out authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password. Sure you can protect the network with segmentation, encryption (IPSec etc.) and even 802.1x and I’m a big fan of all of these concepts, but really they just workaround an issue that you still need to address. The inherent vulnerability in your network which is – the password. So here’s the deal – I don’t want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you ask? Let’s take a look at some of my recent pass-phrases that I’ve used inside Microsoft for my ‘password’. If we weren’t all crazy we would go insane (Jimmy Buffet rules) Send the pain below! (I like Chevell too) Mean people suck! (it’s true) So why are these pass-phrases so great? 1. They meet all password complexity requirements due to the use of upper / lowercase letters and punctuation (you don’t HAVE to use numbers to meet password complexity requirements) 2. They are so freaking easy for me to remember it’s not even funny. For me, I find it MUCH easier to remember a sentence from a favorite song or a funny quote than to remember ‘xYaQxrz!’ (which b.t.w. is long enough and complex enough to meet our internal complexity requirements, but is weak enough to not survive any kind of brute-force password grinding attack with say LC5, let alone a lookup table attack). That password would not survive sustained attack with LC5 long enough to matter so in my mind it’s pointless to use a password like that. You may as well just leave your password blank. 3. I dare say that even with the most advanced hardware you are not going to guesss, crack, brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password). Really, continue reading if you want more info….

  13. Anonymous says:

    "So this is my first ever blog entry and seeing as how I’m a senior member of the PSS Security Incident Response team, you may think I’ve stopped taking my medication by opening with a title like the one above!…

  14. Anonymous says:

    Last week I was home taking care of a few random work issues after dinner. I was wrapping up, and, as…

  15. Anonymous says:

    Never Knows Best: Blog

  16. Anonymous says:

    I have always had a problem with passwords- thinking of new passwords, remembering old passwords, typing in passwords. Problems all across the board. A few years ago I used to be really good with my passwords. I had no less…

  17. Anonymous says:

    A new blogger, Robert Hensing, wrote his first blog post back on July 28, 2004. It&#8217;s an excellent article on…

  18. Anonymous says:

    Microsoft senior member says stop using passwords

  19. Anonymous says:

    Team Murder &raquo; Some Pre-Lunch Messing Around

  20. Anonymous says:

    Why You Need a Strong Password It is worth reminding ourselves occasionally why we need passwords and

  21. Anonymous says:

    Why you shouldn’t be using passwords of any kind on your Windows networks . . . Robert Hensing’s Incident Response WebLog…

  22. Anonymous says:

    If you want your system to be secure you shouldn’t use passwords. Who would make such an obviously stupid statement? Surprisingly, the answer is Robert Hensing of the Microsoft PSS Security team.

  23. Anonymous says:

    the musings of Brandon Jaynes :: This Is A Great Idea

  24. Anonymous says:

    Today I read an interesting post by Robert Hensing (incident response specialist for Microsoft) about the fact that you shouldn’t use passwords of any kind on your Windows networks. Ok, now before you foam at the mouth and think he’s nuts, take some time to read the post. Its rather interesting. What Robert is getting at is that in this day and age, with the number of different techniques that exist passwords (especially through pre-computed hashes) are easy to break. His solution, use long passPHRASES that are more difficult to break through attack vectors such as LC. OK, I’ll buy that for a dollar. Mostly because thats all that its worth. Robert makes a good point that if you have a longer "passphrase", its is extremely difficult for pre-computed hashed to crack per character. What he fails to really point out is that password entropy doesn’t simply get better by using length, UNLESS IT IS RANDOM! Shifting to longer passphrases is good, but only to the extend of the random nature of characters used. Why do I say that? Because tools already exist in the underground that now include precomputed H4CK3R 1337 5P34K, and normalized words that are part of the english language. The weakest link is the human factor here. A passphrase of: Bob’s your uncle! Is Alice in wonderland? The answer is 42. is great on length, uses a combination of of upper and lower case letters and even special punctuation characters. It is extremely easy for me to remember, I won’t even need to write it down. Yet you know what? It is weaker than a password I can make up that is just as easy to remember, but is way shorter. Let me explain. As Robert points out in his post, brute force attacks using pre-computed hashes on longer passphrases is nearly impossible due to the sheer hardware requirements needed to store all the pre-computed results. Ram and diskspace limitations make this much more difficult. However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS. So the parser breaks down the above passphrase into 14 distinct components which are guessable. (You break out punctuation as its own word here). Attackers know this. And can use that to their advantage. Now to be fair, a passphrase with 14 distinct components is still amazingly strong, and difficult to crack. However, it also becomes too easy to break down in password management for the user. Why? Well for starters: The longer the passphrase, the easier it is to mistype The easier it is to type out (assuming you are a good typer) the more lax your thought processing will be when entering passwords. The longer the passphrase, the more tiresome it may be for the user to input, in which case they will settle with "b0bsuncle" later when they get tired of typing it the longer and much safer password Even if you could make this all random, easy to enter and protected against user input errors, a passPHRASE of this length is insane. Its like using a 8192 bit PGP key. Its effective strength is great, but insanely impractical for decryption purposes. In security its about "what is enough security", not "what is the ultimate security". Let me show you a just as effective way of making a strong password/passphrase that will defeat most cracking attack vectors, is easy to remember, and is prone to LESS input errors by humans, the people we are wanting to protect here. Use the same passphrase technique as Robert suggested in your head, and simply type out the first letter, and any numbers and punctuation that come out of it. For the passphrase: Bob’s your uncle! Is Alice in wonderland? The answer is 42. You would get a password of: Byu!IAiw?Tai42. Now under the guise of a complex random password, you actually have (in this case): A strong 15 character password with a good effective bit strength. This meets the criteria of a "long enough" password (anything over 14 random upper and lower characters, which also include digits and punctuation will generate a ‘good enough’ password for most networks that will thwarte pre-compute and other brute force attacks) It is easy to remember, hard to guess. Requires thought as your brain processes each word individually as you type the first character. Studies have shown if you actually have to THINK about something as you type it, it is less prone to error Robert brings up very interesting thoughts in his post. And you should seriously consider following them, with one change. Remember the user. As security professionals, its easy for us to use insane passwords for protection. We are supposed to know better. But Alice in accounting just isn’t going to follow it. With my slight change to simply type out the first letter of each word, and any numbers and punctuation that come out of it, you have a much more PRACTICAL passphrase that is ‘good enough’ for most networks. With a bit of user education, this can become extremely effective. Oh, and if on the next password rotation you don’t feel like using the first letter of every word, change it up. Use the last letter. Or the second. Just remember if you make it to difficult, you will forget it, making it no better than ‘g0d’ or ‘P4$5w0rd!’. Especially since you are going to have to call IT services to reset your password anyways….

  25. Anonymous says:

    or is it?Dana Epps then jumped in with a response: However, by using passPHRASES you break down the password in distinct elements, in this case in the english language we call those WORDS…. If you take Dana’s approach, and pick something too simple or well-known (like, say, lines from The Marines’ Hymn), you are at least theoretically vulnerable to dictionary attacks that try combinations of Beatles lyrics, quotes from The Princess Bride, or whatever.

  26. Anonymous says:

    The original spec was to have 256 character available for passwords, so 256-bytes were reserved. Why is the password length limited to 127 characters? Far-east/Unicode uses 2 bytes per character. Oops.

    Found that ‘dirty secret’ here:

    http://blogs.

  27. Anonymous says:

    Why you shouldn’t be using passwords of any kind on your Windows networks . . . This comment sent my brain straight back to Randy Waterhouse and his ‘issues’ with passcodes! Interesting that Hensing’s comment drew so much attention. I…

  28. Anonymous says:

    A Microsoft security engineer posts on why the password is dead. A stance I firmly agree with but some reservations around the details. The author is coming from the Windows space but the same principles apply in Unix and other OS flavours. Passwords have had a long history of being…

  29. Anonymous says:

    Zyca &raquo; 2004 &raquo; September &raquo; 14

  30. Anonymous says:

    Robert Hensing’s Secure Window’s Initiative Blog (via Coding Horror) advocates something I’ve been doing for years: So here’s the deal – I don’t want you to use passwords, I want you to use pass-PHRASES. What is a pass-phrase you…

  31. Anonymous says:

    If you want your system to be secure you shouldn’t use passwords. Who would make such an obviously stupid statement? Surprisingly, the answer is Robert Hensing of the Microsoft PSS Security team.

  32. Anonymous says:

    I’ve heard Jesper talk about this many times and have used passphrases for a long time myself. The term…

  33. Anonymous says:

    I have read many articles about the benefits of using passphrases in contrast to passwords. For more

  34. Anonymous says:

    Another blog article I&#39;ve been meaning to write for a long time: how to construct a strong password

  35. Anonymous says:

    earn high school diploma at home

  36. Anonymous says:

    Pass-Phrases, not Pass-Words to defeat brute force attacks

  37. Anonymous says:

    A rather well written article on why you shouldn’t be using passwords of any kind on your Windows networks. Basically,…

  38. a. says:

    and every time i need to authenticate just type 42 characters?

  39. Daniel W. says:

    Great article!

    So far i’ve been using Password Minder created by Keith Brown to keep all my passwords. It helps me generate password 75 chars long. But so far almost all of the e-commerce Web sites i use have a limit for passwords to about 8-10 characters.

    I just hope they’ll all hear your call!

  40. Robert Hensing says:

    I type extremely fast (80wpm) so for me typing a 42 character sentence when I get challenged isn’t all that hard or difficult. I realize not everyone would enjoy a pass-phrase that extreme – but how hard is it to type ‘Mean people suck!’. That’s much shorter and just as secure . . . My point is to get people to use 14 character or greater passwords by using pass-phrases instead. 42 character may seem like overkill . . . but then again I would freely give out my password hash to anyone who wanted it and challenge them to crack it with that pass-phrase. 🙂

    Finally – the only time I get challenged is when I logon to the domain – since we’re in a domain I don’t get challenged when connecting to shares or intranet sites – I auto-authenticate after I sign in.

  41. Matt Hawley says:

    (standing and clapping) great article..I cant wait to see what else you come up with. I immediately forwarded this onto my network services department 🙂

  42. James Risto says:

    Nice … I have a phrase now instead of a dumb (short) mess. I thought you were going to talk about smart cards … nice to know we don’t have to change infrastructure.

  43. Miguel Garrido says:

    Yes, it is a very interesting article, something I will probably be implementing in the near future.

  44. damien morton says:

    The entropy of the english language is around 2.1 bits/character. Assuming that a "random" string of upper/lower/numeric characters is compared with a passphrase, one would expect a "random" password to be as effective as a passphrase 3 times as long (assuming 6 bits/character in a random password). Of course, completely random passwords are even more of a pain than passphrases.

    I would suggest a lower limit of 20-25 characters on passphrases.

  45. Bert' says:

    sounds great….except when your network admin makes you change the pass phrase every month…now what phrase did I use this month… I better figure it out in 3 trys so I dont get locked out.

    I woudl really like to see thumb readers or somthing like that used more..

  46. Matt says:

    Um. Am i missing something? Say this catches on… say we get everyone working with Pass-PHRASES (as you like to say), then the blackhat community simply adapt their attacks using ‘word’ elements instead of letter elements for the ‘password’, and 6 months down the line we’re more vunerable than ever before.

    These phrases are only equivalent to random passes if they continue using the same tactics… that simply isn’t going to happen.

    Performing a brute-force attack using a language-dictionary (perhaps a rechristening of the term ‘dictonary attack’? ha ha) would be quicker and easier than peforming the same attack on a 12 letter random password, as there are now only 4 or 5 elements to the pass-PHRASE that have to be guessed (even including case-sensitivity thats not much), which would surly REDUCE security – as thats equivalent to a random password of about length 4 or 5 (even taking into account the higher number of mathematical combinations possible with words, as the patterns produced aren’t 100% random (as all language obeys rules) you’re going to find you’re back to roughly the number of combinations used with letters).

    The only effective and 99% secure method (which isnt exactly viable at this present moment) is face-recognition, combined with lip-sinked voice-signature recognition alongside a real-life spoken passphrase. Place this alongside a bluetooth-vicinity card or USB-smart card and you’re getting pretty close to 100% secure.

    That’s my take. What more can I say? I’m sticking with random passwords for now.

  47. Robert Hensing says:

    So you’re talking about password guessing methods / tools which don’t exist yet. Sure what you say could be done. Security is a cat and mouse game. Sometimes your the cat, sometimes your the mouse. Right now you all are the mouse, I’m giving you one way you can become the cat for a little while until the miscreants figure out your using full-fledged sentences as your passwords. Then they will be forced to either:

    1. Write more sophisticated tools.

    2. Attack easier targets like all those Linux boxes you installed because its so much more secure . . .

    Seriously though – I’m not literally saying ‘just use sentences’ (I hope that wasn’t the key take-away). The point I’m trying to make in this post that perhaps was not made was ‘go for length over short complexity’ if given the choice. If given the choice of a highly complex, 8 char or less password, I’ll take the 16 character pass-phrase thank you. The pass-phrase doesn’t have to be a meaningful sentence. It can be random words . . . you can use substitution to increase the keyspace from 52 chars (a-Z, A-Z) to well over 72 chars (a-z, A-Z, 0-9, !@#$%^&*() ) which dramatically increases the time to crack.

    Just go for length people – short passwords suck.

  48. Matt says:

    Yeah, I agree about the length thing – I’d like to know what you think about this. I’m seriously interested in your response on this: http://dotnetjunkies.com/WebLog/darrell.norton/archive/2004/03/17/9362.aspx

    Im not just trying to "make another point", I’m serioulsy interested.

  49. Robert Hensing says:

    Sure – character substitution (I like to call them 733t speak passwords <G>) is nothing new and LC4 and LC5 both have the ability to do it (i.e. try common substitutions when cracking like swap ‘a’ for ‘@’).

    So I agree with the author – for short passwords, this doesn’t necessarily buy you much more time so effectively, nowadays it’s not really all that great.

    For example if your password is ‘P@$$w0rd’

    LC4/5 will try

    password

    Password

    P@ssword

    P@$$word

    P@$$w0rd

    woot! It took LC5 a whopping 4 more attempts to crack that password based on . . . a WORD.

    The problem is, in this scenario that substitution is being used to try to strengthen a fundamentally weak password.

    And we’ve now come full circle. This link has actually helped prove my point. The author has rightfully pointed out that character substitution, designed to increase the entropy of a short password isn’t really all that helpful if the substitutions are done in a predictable way (i.e. common substitutions that can be programmed into a cracker).

    If the password had been a passphrase, however like ‘My p@$$w0rd is super 733t, I’m so clever!’ LC5 would probablytake approximately 1.7 million billion years to brute-force that becuase:

    1. It can’t find that password (or any of its permutations) in a dictionary so it must

    2. Revert to using brute-force to crack that.

    The point of my post is that with a password as long as the one I provide above, entropy doesn’t really matter anymore as you’ve made the password so long that it would take an un-realistic amount of time to crack it using brute-force or lookup tables . . . adding entropy to it (either true entropy or fake entropy via character substitutions) is probably just plain old overkill.

    I’ll leave it as an exercise to the readers to tell me how long it would take LC5 to brute-force: ‘My p@$$w0rd is super 733t, I’m so clever!’

  50. Sircarpediem CIRCA84 says:

    "The voice of reason has spoken". The complex is always so simple. I think that matt although having some points at this date and time Robert your absolutely correct. We are far away (In technology yrs which are months btw) of getting to the point of passphrase breaching which one day will exist. Thing is, there are far too many machines to breach that WONT EVER smell the coffee. (i.e. All the machines still using windows 95, 98, 98SE and WEP users all banking, and doing lifes transactions with those OS’s with no antivirus even) Just far too many, and too much fun to resist. Robert I admire the complexity of your common sense in this aticle, applause.

    Heres something to think about too. I have clients that use Nod32 for their antivirus and it works for them. "Beats symantec hands down" etc etc. Sure it does; for now that is. Just not commercial enough, whats commercial is mostly going to be cracked. Heres a quote, "For more than six years, NOD32 remains the only antivirus system in the world that has not missed any ‘In the Wild’ virus in the prestigious tests performed by the international magazine" – Virus Bulletin. This is true only because its not popular and noone is out to take it out. Let it do some advertising as the "#1 antivirus, and most secure in the world" on a national or international commercial. Take a month or less for it to be molested like a 8yr old in Micheal Jacksons bedroom. Might be happening as we speak, who knows? Everything is relevant. Nice article.

  51. Sonny says:

    I agree with Robert without reservations, having been doing this exactly for years. Further, as a IS professional it has been my recommedation for years as a best practice. No need to reiterate your argument. Side note to those commenting on time to authenticate i.e. type a password… If you are a general user with moderate typing skills it still is not that big a deal, I set my screen saver to 3 minutes and use phrases and am not the quickest of typists yet still manage through it without locking myself out.

  52. Robert Hurlbut says:

    I have been advocating passphrases in my own security presentations, but I also recommended a variation of taking the first letter of the passphrase when the password length is < 10. But, as your article points out, that may still not be safe. And why do this when you have a large password length. Great advice!

  53. Barry Dorrans says:

    Until there’s smartcard logins that are supported across the net I’m not going to be content. Heck I want to persuade people to roll it out over the work AD, just so I don’t have to remember passwords, phrases or whatever.

    The problem is, of course, remembering. It gets worse when you have to change your password every month, so I’ve ending up defaulting to month!year!phraseWithNumber

  54. Drew says:

    I agree if these are domain accounts and smartcards aren’t in use.

    For stand-alone machines that will only have local logons* I’d recommend the other kind of not-password: a blank password. It lets anyone with physical access log on as you**, but won’t allow anyone to connect to the machine with your account over a network.

    *surely the 90% case in people’s homes

    **any box that an attacker has physical access to is ownzored anyway

  55. Drew says:

    I should have included this:

    "blank password == no net access" only for Windows XP and later releases.

  56. Jeremy Brayton says:

    Also one thing not mentioned but brought up in another blog is the use of " " (space).

    You can have a sentence with correct 1 character spacing, 3 characters, 5, 2, or literally 127 spaces and an A at the end. Good luck brute forcing that one.

    Passwords are cracked by a whole. You can’t crack a character at a time because of the way hashes are set up. So any time you can lengthen the password or phrase, the better your chances will be in the long run, even if it’s extra spaces. Using a non-uniform method of spacing is more ideal too just in case crackers every wise up and include some kind of spacing algorythms.

  57. John S. says:

    "except when your network admin makes you change the pass phrase every month…now what phrase did I use this month… I better figure it out in 3 trys so I dont get locked out."

    Convince your admin that creating a stronger password complexity policy eliminates the need for a lockout policy. Lockout policies are essentially the easiest way to DoS someone. Try logging in as your admin or CEO 3 times locking them out, that usually gets the policy updated pretty quick.

  58. RHensing – *great* first post!

    Dana Epp – You are correct that completely random 42-character string would be harder to crack than a 42-character grammatically correct sentence made up of 14 words. I don’t think it follows that the latter is weaker than a random 14-character password:

    * The attacker does not know that there are 14 elements.

    * With the password, each element (character) comes from a set of approximately 100 characters (assuming ANSI). With the passphrase, even after you remove all the randomness each element (word) comes from a set of many thousands of possibilities. Throw a little character substitution in the mix and cracking just has no feasibility left.

    (I’m not a mathematician, though…)

  59. Andy Doyle says:

    What a great first post!

    *applauds*

  60. Jeremy C. Wright says:

    Fantastic. Blogged, subscribed, bookmarked, forwarded.

  61. Bill V says:

    Robert. Thanks for the Heads up. Certainly makes sense.

  62. Mike O'Connor says:

    Unfortunately, there’s scalability limits on passphrases. The longer a passphrase is, the more likely it is that someone will make some mistake in typing it in, especially when they can’t see what they’re typing echoed on the screen. For every Japanese schoolgirl who can flawlessly type a trillion words a minute on the iMode phone they’re provided with in the womb, there’s an old manager fart with mildly arthritic hands to counterbalance it. Someone with a usability bent probably has done a lot of work figuring out what the right magic # is for such things, and I bet it’s <42. In other words, as with most ‘length’ arguments:

    "It’s not the meat, it’s the motion…"

  63. Greg Baker says:

    Great Article.

    Our 5300 user organization has been using pass phrases since April. We initially had scalibility concerns but have yet to encounter any. The users and all of IT give the concept a big thumbs up. Many clumps of hair have been saved by all.

    As an FYI, Mark Minasi gave a presentation detailing this subject during his keynote on the Microsoft Security Road Show this spring.

  64. Tim Long says:

    I’m surprised that biometric devices are not much more prevalent (such as the U-are-U fingerprint scanners). These devices are both convenient and easy to use. They save a lot of time for the user and remove any temptation to write down a password.

    Robert’s advice about passphrases is actually very practical. Though it seems like a lot to type, the fingers become accustomed to it very quickly.

    The 128 character password limit is such a well kept secret that I’ve come across applications that actually forced me to have a shorter password because they wouldn’t allow me to enter a long enough string. Veritas Backup Exec 8, for example!

    –TPL

  65. Matt Palmer says:

    Very interesting, and I think it’s probably a good idea.

    However, I ran the pass phrases that Robert used through a word frequency analyser (just google around for one). Almost all the words he picked were in the top 1000 most common english language words. If you have a passphrase with 5 words, that gives you about 1000 billion variations, and that assumes that the word order is random. Since the phrases form sentences, there’s actually a lot less variation there, as many words are very common (top ten), and tend to follow each other in statistically significant sequences.

    Is this weaker than a 10 character password? Maybe. And remember, people will tend to choose pass phrases from popular culture, cool quotes, etc. Again, allowing attackers an in to the pass phrase.

    I think using pass phrases is *probably* a good idea, but we shouldn’t leap on it without examining it in much greater detail.

  66. JerimiahF says:

    I use a 256bit encrypted fingerprint reader to remember my passwords – the long ones – and as long as my finger is with me – the chances are 1 in 100,000 that someone has a print like mine.

    FBI uses like 7-8 points to ID a print – this thing uses upwards of a few dozen.

    http://www.digitalpersona.com

    Have fun (it’s optical BTW – not silicone like the old ones).

  67. Joe Hemmerlein says:

    Congrats, Rob, for your first blog 😉 I’ve also been using pass phrases for quite some time now, and I am totally satisifed. However, there are a few experiences I would like to share:

    1. After a while, the pass phrase isn’t as easy to type as it was in the beginning.

    I do not know if this is a personal thing, but tendencially, it takes about 2 days for me to type the new phrase fluently (this is about the time I used to get used to a new password, too). Then it takes about another 30 days for me to start making typos. I call that "natural expiration" and when that happens, I usually change the phrase.

    2. Be careful with special characters

    Besides using multiple spaces and mispelling words in my pass phrase, I have also experimented with special characters (e.g. ALT+4322). On one day however, I had to connect to a TS in a different country, and the password kept being rejected. Even a clear text copy&paste failed. Thinks like these appear to happen when the phrase was set with one locale, and then entered with a different locale, while special characters are in use. Of course, it doesn’t appear with all chars.

    3. Smartcards

    If I have to log on to a system that has a smartcard reader installed and allows smart card logon, I use the card.

    Cheers,

    joe

  68. Jenni Merrifield says:

    Interesting and thoughtful commentary on passPHRASES vs. passWORDS.

    I do have to agree, though, with those who have commented on the fact that making them too long is subject to mistyping and (eventually) shortening due to the lazy-factor. Also, for those of us using Tablet PCs, the need to enter pass-anythings using anon-screen graphical representation of a QWERTY keyboard, where every key (including SHIFT) must be tapped one-bygone, makes anything longer than 8-10 characters exceedingly unpleasant.

    You also mention, in one of your responses to some other feedback, that you only need to enter your paraphrase when you log in to the Domain. What about when using Remote Access Services and VPN? Or when using RCP over HTTP to access email on an Exchange server? Or for the tester who needs to log in to a couple of different testing machines each day? After all, not everyone only logs in at a desktop attached directly to the corpnet. 😉

  69. brad says:

    This seems like a band-aid over a deep wound. Won’t this eventually suffer the same problems RSA-encryption has in the past (and will soon in the future)? Increased processing speed (or something nuts like quantum computing) is just going to make us increase the length again later. Soon, it will be 42 character passwords. Then 80 character passwords. And then we’re going to throw our PC’s out the window because we’re tired of coming up with a new a short story every month to access it.

    Is there a better method of approaching this? I know that, for the web, salting and md5-ing passwords makes the password increasingly more secure, but even that seems to be delaying the inevitable.

  70. [rux] says:

    "2. Attack easier targets like all those Linux boxes you installed because its so much more secure . . . "

    What did you mean by the above sentence ? Seriously …

  71. Hans says:

    Currently I’m using a binary string that’s comprised of only 1’s and 0’s and is about 20 characters for a password (in one instance only). I presume that this isn’t exactly safe, since it’s only 1’s and 0’s, but I thought I’d ask an "expert." So, are binary passwords safe, or do they have to be 40+ characters long?

    P.S. I don’t remember the number, I count on muscle memory/rythm.

  72. Robert Hensing says:

    Your character set is extremely small (2 chars) but the attackers don’t know that (well they do now) so they have to assume at least a 62 character set when doing their brute-force attack. Given that you’ve made your password 20 characters long that helps overcome the lack of characters which I’m guessing makes this a relatively hard to crack password (for someone who doesn’t know you only have 1’s and 0’s in it). If someone configured LC5 to try only 1’s and 0’s I’m pretty sure this would crack fairly quickly.

    Consider using you’re traditional ‘binary’ password but padding it with some extra characters here and there to avoid getting pwnt. 🙂

  73. Jojge says:

    I think are 100% correct!