In a blog post titled "Why you shouldn't be using passwords of any kind on your Windows networks", Robert Hensing argues that the inclusion of password-cracking tools in recent worms and trojans illustrates the need for sturdier authentication schemes.
"Passwords are ridiculously easy to guess or crack," writes Hensing, a member of Microsoft's product support security team. "Worms like Agobot ... all ship with dictionaries of passwords numbering in the hundreds and they can easily replicate to a system that has a password in this word list, and the miscreants are really good at keeping these wordlists up to date with passwords that they've cracked from other systems."
"Passphrase LENGTH, not complexity defeats these attacks," writes Hensing. "Short, but complex passwords should be shunned, as they are not truly secure anymore and you are deceiving yourself if you think they are. Long passphrases (14 characters or more) are the future, and are the only way to go if you want to ensure that you won't get hacked via any type of password based attack of any kind."
The debate about password strength is not new, and multi-word passphrases have been in use for years in PGP and other encryption apps. Still, the observation from a Microsoft security manager that passwords are "not truly secure" is an attention-getter. Hensing notes that Windows 2000 and Windows Server 2003 support passphrases of up to 127 characters, including spaces and unicode characters. "This is, unfortunately, one of Microsoft's best kept secrets," he notes.
Some older Unix versions using the Data Encryption Standard (DES) only support passwords up to eight characters, or ignore any characters after the first eight. But most open source OSes have shifted to MD5 authentication, which allows an unlimited number of characters in passwords. Masc OS X also allows lengthy passphrases.
In network security, concepts and compliance tend to be different matters. While lengthy, complex passphrases are more secure, end users prefer passwords that are easy to remember and type.
"As security professionals, its easy for us to use insane passwords for protection," writes Dana Epps. "We are supposed to know better. But Alice in accounting just isn't going to follow it." Epps suggests an alternative method: select a passphrase, type out the first letter of each word, and any numbers and punctuation that come out of it. "You have a much more PRACTICAL passphrase that is 'good enough' for most networks. With a bit of user education, this can become extremely effective."
Even longer passphrases are not immune to crackers who are persistent with dictionary attacks, powerful processors and social engineering, as noted in the passphrase FAQ, which emphasizes that good passphrases should be obscure. "The short version on common phrases is don't use them ever," it advises. "Simple phrases will be the first ones checked. If you are a Star Trek fan, 'Beam me up Scottie' is a bad phrase to use. If you can find the phrase in any published work then don't use it."
Microsoft will have more to say on passphrases, according to Hensing, whose blog post has been widely discussed on mailing lists in recent days. "Given the overwhelming feedback from the readers I have decided to work with the right people internally to get passphrases documented in more formal/authoritative guidance up on the Microsoft web site," said Hensing.