Sunday, December 14, 2014

TEN MYTHS ABOUT PASSWORDS IN WINDOWS

Despite all the advances in security technology, one aspect remains constant: passwords still play a central role in the security of the system. The problem is that too often they are the easiest security mechanism to defeat. Despite the fact that there are technology and policy to make passwords stronger, still have to deal with the human factor. It's no secret that users often use as passwords friends' names, nicknames animals, etc. The main objective is to enable users were strong passwords. However, it is not always clear how to achieve this. The problem is that our actions are too predictable. For example, in the list of totally random words invented by the common man, certainly showed some general law. Selecting good passwords requires education. This knowledge, system administrators, and should be extended to the end users. Perhaps this article will help you understand the use of passwords in Windows XP (the entire family of the OS) ... So: Myth №1: password hashes are quite reliable when using NTLMv2 Many readers will be familiar with the weakness of password hashes LanManager (LM), which made so popular L0phtcrack. NTLM made ​​hashes somewhat stronger by using a longer hash and different characters in upper and lower case. NTLMv2 is more perfect, with a 128-bit key space and using separate keys for message integrity and confidentiality. Furthermore, it uses HMAC-MD5 algorithm for higher integrity. However, Windows 2000 still often sends LM and NTLM hashes over the network and NTLMv2 is vulnerable to attack during transmission (also known as replay). And, because password hashes LM and NTLM is still stored in the registry, and you are vulnerable to attacks against the SAM. It will still take some time until we finally free ourselves from the constraints of LanManager. Until then, it is not necessary to hope that your password hashes are reliable. Myth №2. Dj # wP3M $ c - best passwordconventional myth that totally random passwords obtained using a password generator - the best. This is not quite true.While they may in fact be strong passwords, they are usually difficult to remember, slow and nabiraemy sometimes vulnerable to attacks against the password generating algorithm. It is easy to create passwords that are resistant to cracking, but harder to create such passwords memorable. There are several simple steps. For example, consider the password "Makeit20@password.com". This password is used letters in upper and lower case, two digits and two letters. Password length to 20 characters, but it can be stored with minimum effort, perhaps you have already involuntarily remembered.Moreover, this password is typed very fast. As part of the "Makeit20" alternate on the keyboard left and right hands, which increases the speed dial, reduces the amount of typing errors and reduces the chance that someone will be able to peek your password, watching the movements of your fingers (long established lists of English words, alternate keys for right and left hand, which is convenient to use as part of your password. For example, a list of eight thousand of these words can be found on http://www.xato.net/downloads/lrwords.txt ) The best technique for creating complex, but easy to remember passwords - use data structures that we are accustomed to remembering. Such structures also make it easy to include punctuation characters in the password, as in the example addresses e-mail, used above. Other structures that are easy to remember - it's phone numbers, addresses, names, file paths, etc. Please note some elements that allow us to simplify the memorization.For example, patterns, repetition, rhymes, humor, and even rude (including obscene) words creates passwords that we will never forget. Myth №3. 14 characters - Optimal Password Length With LM, password hashes were split into two 7-character hash. This actually makes the passwords more vulnerable because a brute force attack (brute-force) can be applied to each half of the password at the same time. That is, a length of 9 characters passwords are divided into one-character hash 7 and one two-character. Obviously, cracking a 2-character hash did not take long, and the 7-character part is usually cracked within hours. Often a short piece can greatly facilitate breaking long fragment. Because of this, many security professionals determined that optimal password length is 7 or 14 characters, corresponding to the two 7-character hashes. NTLM improved the situation by using all 14 characters to store the password hashes. Although it did make things better, but the dialog box NT limit passwords to a maximum of 14 characters; thus defining passwords of exactly 14 characters for optimal security. But everything is different in the newer versions of Windows. Passwords in Windows XP and 2000 may have a length up to 127 characters, thereby 14 symbols will not be limiting. Moreover, one small fact open onto Urity SecurityFriday.com, is that if the password is 15 or more characters, Windows stores correctly even LanMan hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash to nothing lead. Taking this into account, the use of passwords longer than 14 characters may be good advice. But if you want to make mandatory the use of such long passwords using group policy or security templates, you will encounter difficulty - nothing will enable you to set the minimum password length to 14 characters. Myth №4. J0hn99 - A good passwordAlthough the password is "J0hn99" passes on the complexity of the requirements of Windows, it is not as complicated as it seems at first glance. Many programs, password crackers have rules that can try millions of word variants per second.Replacing the letter "o" with the number "0" and adding a couple numbers - is nonsense for such programs. Some programs even check-crackers set of methods that are commonly used users, allowing them to pick up even a fairly long and, at first glance, successful passwords. The best approach - to be less predictable. Rather than replacing "o" to "0", try replacing "o" two characters "()", as in "j () hn". And, of course, extending your password, you increase its stability. Myth №5. Any password will sooner or later be broken. Although a password can be opened in several ways (eg, via "keylogger" or through social engineering), however, there are ways to create passwords that can not be cracked in a reasonable time. If the password is long enough, his hacking take so long or require so much processing power that is essentially the same thing as if it was uncrackable (at least for most hackers). Of course, in the end, any password can be cracked, but it can happen and not in our lifetime, or even during the life of our great-grandchildren. Thus, if, of course not the Government hacking away at your passwords, chances are you are very high. Although perhaps achieve computer technology may one day make this myth a reality. Myth №6. Passwords should be changed every 30 days. Despite the fact that it is - good advice for some passwords with a high degree of risk, it does not fit the average user. Requiring frequent password changes often causes users to develop predictable patterns in their passwords or use other means that will actually decrease their effectiveness. Man in the street does not like constantly think of and remember new passwords every 30 days. Rather than limiting password age, it is better to focus on stronger passwords and better user awareness. Suitably, the time for the average user, - from 90 to 120 days. If you give users more time, it will be easier to convince them to use more complex passwords. Myth №7. You should never write your password Although this is good advice, sometimes it is necessary to write down passwords. Users feel more comfortable creating complex passwords if they are confident that they can read it in a safe place if you suddenly forget. However, it is important to educate users on how to properly write down their passwords.The sticker on the monitor - it is certainly silly, but storing passwords in a safe or lock box may be sufficient. And do not neglect security when it comes time to throw out the paper with the old password: remember many major hacking occurred precisely because of the fact that hackers are not too lazy to look through garbage in search of the organization recorded passwords. It may be an idea to allow users to store passwords in software utilities for storing passwords. These tools allow the user to store multiple passwords in one place, close the main master password. But if someone learns the master password, you will have access to the complete list of all passwords. So, before you allow users to save passwords in such a place, consider the risks: first, this method software, and therefore vulnerable to attack, and secondly, because everything is kept on a single master password, it can become a single point for the global failure of all passwords of all users. Best practice - to combine technology, physical security, and company policy. In addition, passwords can be simply be documented. There is nothing unusual in a situation where the system administrator is ill or retired. A number of organizations - the only person who knew all the passwords, including the password server. So sometimes you have to even approve writing passwords, but only when it is really necessary and well thought out. Myth №8. The password can not contain spaces Despite the fact that most users do not use it, Windows XP allows you to use spaces in passwords. In fact, if you can see this symbol on Windows, you can use it in a password. Consequently, the gap - quite valid password characters.However, because some applications trim spaces, it is better not to begin or end your password with a space. Spaces are easier for users to create more complex passwords. As the gap between the words can be used, its use can give users a real possibility to use long passwords of several words. Generally, space is a very interesting situation, it does not fall into either category password complexity requirements Windows. This is not a figure and not the letter, and not even considered a symbol. Thus, if you want to make your password more complex, the gap is no worse than any character and in most cases does not reduce the complexity of passwords. But I would say about one major drawback associated with the use of space - its key issues by clicking a unique sound, that with nothing to confuse. It's not hard to hear when someone uses a space in their password. In general, use spaces, but do not abuse it. Myth №9. Always use Passfilt.dll Passfilt.dll - library, forcing users to use stronger passwords. In Windows, this is done through a policy of "Password must meet complexity requirements."Although it is often a good policy, some users may find it frustrating when their passwords are rejected as insufficiently complex. Even experienced administrators have likely had to enter multiple passwords until one of them does pass complexity requirements. Sorry users certainly will not express support for the address of your password policy. If you see that users do not like complexity requirements, perhaps, the best way is to require long passwords instead of this policy. If you do the math, you'll see that the 9-character password consisting of lowercase letters, about the same complexity as the 7-character password that uses letters as lower and uppercase and numbers. The only difference is how the password cracking software handles different character subsets; some brute-force crackers have sorted all combinations of letters in lower case before use numbers and other symbols. Another option - to take the Platform SDK sample in the directory \ samples \ winbase \ Security \ WinNT \ PwdFilt \ and change it so that it is more forgiving with password selection. You can also teach users how can complicate passwords, and tell them some ideas for this. Myth №10. Use ALT + 255 for the Strongest passwordconsider the use of characters with large ASCII-code for a final complication password. These characters can not normally be typed on a keyboard but are entered by holding down the ALT key and a set of ASCII-code on the numeric keypad. For example, ALT-sequence 0255 creates a character. Despite the fact that in some situations it is useful also be considered disadvantages. Firstly, holding down the ALT key and set the numeric keypad can be easily observed by others. Second, creating such a character requires five keystrokes that you need to remember and then enter it each time you set a password. Perhaps it would make sense to create a password to five characters longer, which would actually make your password much stronger for the same number of keystrokes. For example, a 5-character password created characters with a lot of ASCII-code will require 25 keystrokes. Given the 255 possible codes for each character, and only five characters, the total number of combinations of 255 ^ 5 (or 1,078,203,909,375). However, the 25-character password created only lower-case letters has 26 ^ 25 (or 236,773,830,007,968,000,000,000,000,000,000,000) possible combinations. Obviously, it is better to create longer passwords. Another point that is worth considering - some laptop keyboards make it difficult to enter the numeric keypad and some command-line utilities do not support characters with large ASCII-code. For example, you can use the character ALT + 0127 in Windows, but will not be able to type it on the command line. Conversely, some character codes such as Tabs (ALT + 0009), LineFeeds (ALT + 0010) and ESC (ALT + 0027) can be used when dialing from the command line, but can not be used in dialog boxes Windows (that it may be desirable side effect in some rare cases).However, there are some cases where it is useful to use the extended character codes. If you have sensitive service or local administrator, which are rarely used, sometimes the extended character deserves a few extra keystrokes. Since few password crackers have rules set up to handle extended characters, that may be enough to make the password very difficult to crack. But in this case does not stop with high ASCII-code: there is a little known fact, which consists in the fact that you can actually use the full range of Unicode characters, which has 65,535 possible characters. However, such a character as ALT + 65206 is not as stable as the equivalent number of keystrokes using regular characters. Finally, pay attention to the use of non-breaking space (ALT + 0160) in a set of wide characters. This character appears as a space and can often fool those who are somehow saw your password. For example, say that an attacker could install a keylogger on your system. If you use a non-breaking space in your password in the log file it will look like a regular space. And if the attacker does not know about non-breaking space, and without seeing the actual ASCII-code, his password, which he hoped would not give him anything. But many people do not know about the existence of this character, though, it seems, after reading this article will already know. Conclusion Some may disagree with some given moment, but they do not claim to be the ultimate indisputable truth. This was not the purpose of writing this article. Myth - a half-truth. Many of the myths that are criticized, were once great advice, or even still are those in specific cases. But for many of these tips have become a set of rigid, fixed rules to be applied at all times. But any advice about passwords, including quoted in this article - no more than just advice. You must decide what rules you are suitable and which are not. Perhaps the largest and most erroneous myth of all and is that there is one strict rules on passwords. Sometimes John99 - a good password and sometimes passwords must be changed more frequently than once a month. Some passwords, for example, the administrator need much greater protection than the other - the user.

2 comments: