SlackR
asked on
Windows 2000 Complex Passwords
We are an Active Directory network and are about to implement a password policy. In this policy we have decided to go with Complex Passwords. My question is this: According to Microsoft's discription of Complex Passwords, Passwords must meet the following minimum requirements: Not contain all or part of the user's account name.
How many letters do they mean? 2 consecutive letters?
I want to warn my users of the change and would like to know that answer to this before they ask.
Any help is appreciated.
How many letters do they mean? 2 consecutive letters?
I want to warn my users of the change and would like to know that answer to this before they ask.
Any help is appreciated.
The password cannot contain your entire username, or any part of your full name (where a part is defined as your first name as one part, middle name as another part, and last name as the last part)
The best passwords should not be dictionary words ( IE: words you might find in a dictionary :-) ) or names of people, places, events or use any part of a user's login account name or his job function.
You'll want your users to pick passwords that are a combination of lower and upcase letters/numbers and at have a length of either 7 or 14 characters exactly.
Of course these are "best" case passwords and noone I know has ever got anyone to follow those rules.
Good Luck :-)
You'll want your users to pick passwords that are a combination of lower and upcase letters/numbers and at have a length of either 7 or 14 characters exactly.
Of course these are "best" case passwords and noone I know has ever got anyone to follow those rules.
Good Luck :-)
7 or 14 letters doesn't apply in Windows XP, because LANMAN passwords where the hash ends on 8 byte intervals are no longer used. Windows passwords are more secure the more letters you have.
That ended with Windows 2000
I usually add a few brackets [ ] and couple question ? marks some slashes / and a few favorite Alt-characters, which I won't mention. Most password crackers have these characters as part of larger character sets and it takes a helluva lot more time, like years more. But don't break up words using them eg: w?o?r[d because this is pretty easily cracked by a dictionary/brute hybrid. I typically recommend a 14 or 15 character password with a couple of Shift and/or Alt characters as a rule of thumb. And as mentioned no dictionary words. And never the userid at all, that is the first thing LC4 will do, try to crack the password with variations of the userid.
Because Microsoft uses 2 methods of storing passwords; LM and NTLM it's best to use passwords that are at least 15 characters if you can. This forces NT to use NTLM for storing the passwords and stores a bogus hash in the easily cracked LM hash.
"If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B5
"With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."
Ten Windows Password Myths: -> VERY GOOD READING
http://www.securityfocus.com/infocus/1554/
Eliminate LAN Manager Hashes
http://atomic.quilogy.com/default.aspx?storyid=pwd2
Because Microsoft uses 2 methods of storing passwords; LM and NTLM it's best to use passwords that are at least 15 characters if you can. This forces NT to use NTLM for storing the passwords and stores a bogus hash in the easily cracked LM hash.
"If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B5
"With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters."
Ten Windows Password Myths: -> VERY GOOD READING
http://www.securityfocus.com/infocus/1554/
Eliminate LAN Manager Hashes
http://atomic.quilogy.com/default.aspx?storyid=pwd2
Holy jeesus. Creating a password policy of minimum 14 characters is a surefire way to get fired.
<<Comment from Flash828 03/11/2003 02:26AM PST
Holy jeesus. Creating a password policy of minimum 14 characters is a surefire way to get fired.>>
LOL. Yes, I imagine it would at many companies depending on the industry. But I think that is about to change, security is becoming a very serious issue. You are correct though, I became focused on the ideal situation and failed to mention that typically 8 characters is the norm.
Holy jeesus. Creating a password policy of minimum 14 characters is a surefire way to get fired.>>
LOL. Yes, I imagine it would at many companies depending on the industry. But I think that is about to change, security is becoming a very serious issue. You are correct though, I became focused on the ideal situation and failed to mention that typically 8 characters is the norm.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Ecims,
I have been looking for a Link like that for a few days now, that is what I needed.
I have been looking for a Link like that for a few days now, that is what I needed.
Good Links Ecims, thank you !
I did not know about about the "greater than 15 creates null hash" finding.
Still, since I can't enforce it, I know it won't be used by most folks. So I tend to spend more time on stoping anyone from getting the hases in the first place. ( got more control over that :-) )
I did not know about about the "greater than 15 creates null hash" finding.
Still, since I can't enforce it, I know it won't be used by most folks. So I tend to spend more time on stoping anyone from getting the hases in the first place. ( got more control over that :-) )
Where do I begin... I beg to differ with the ALT code's as mentioned in the security focus article.
14 char's are good, Alt chars are better, no matter the length. I have been cracking a 1 char password for over 1 year, and still havent got it :) Anyone is free to try and prove me wrong. (non-stop brute force btw- l0pht and john quit after 17 days of running, exhausted all combonations)
Holding ATL and then typing a number between 0-255 on the number pad on the right of they keyboard will sometimes result in a "unbreakable" password. Alt-255 is one of the better alt codes. Some can be found.
Now the problem with these passes- They cannot be sent over http, and various other app's and programs. This pheonomina only applies to NT passes. So if you try to log into a box using VNC through Internet Explorer, you cannot send your Alt char's through, nor logon to webmail with that type of pass. There are many pitfalls to the Alt codes, you cannot start a service with an account that uses an alt code, unless that account is logged on interactivly.... the cmd line much more.
Now- "If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B5
not true... most crackers know of the NULL hash.. comon, they just say NULL- also windows truncates the password, not make it null. If you don't have a SP4 on NT, your password of "ilikeverygaymen" would only actually be "ilikeverygayme"- what you mentioned only applied to LM, and NTLM doesn't suffer from the same thing, NTLM would store the entire pass up to 127 chars.
M$ also has about different authenicating mechinisms.
LM (not case sensitive)NTLM(case sensitive) [these tow are the default on nt/2k/xp- they are stored in the SAM, 2k/xp have the ability to not store the LM hash, but the NTLM is still there]
NTLMv2(case sensitive)
Kerberos (case sensitive, time stamped etc..)
I will tell you why alt codes, espically 255, won't get cracked- John the ripper, and l0pht both think that the ALt+255 password I used, is actually 3 chars. That's the problem. I type ALT+255 and see only 1 astrick(*), that char is Unprintable, there is no char assioated with that code (typically). 1 astrick, and l0pht and John think there are 3... there must be something in the way that windows handles unicode strings and then the way it encrypts them. I dunno, I have used all the crackers out there, made changes to the code of the ones I've used for years, and can't get the 1 char pass :)
I can go on and on- These are my recomendations- similar to those mentioned above:
Use Spaces- they are ligit, and do not contribute to the password's weakness.
Use MixEd CASe passwords
Minimum length should be 8-10, most users can't even handle that...:p
Tell your users of subsitution- !l0v3YuO 3@+m3 r@w g##dPA$$2h@v3!) (iloveyou eatme raw goodpass2have!) )
LM is what is weak, NTLM is 2 steps in the right direction but still weak, LM might as well of not even be there...
Using tools like pwdump3e.exe will dump the SAM- with the LM and NTLM hashes.
And to the point finally, if your username was:
WGates
These would not be acceptable passes:
12wgAtEs12
w!NgaTes1988
frontgates56
+setagw)(*^ [backwards]
you should experiment, and you can adjust certain values.
Although a subsituted one would go- 00wg@tes)) would work.
GL
-N30
14 char's are good, Alt chars are better, no matter the length. I have been cracking a 1 char password for over 1 year, and still havent got it :) Anyone is free to try and prove me wrong. (non-stop brute force btw- l0pht and john quit after 17 days of running, exhausted all combonations)
Holding ATL and then typing a number between 0-255 on the number pad on the right of they keyboard will sometimes result in a "unbreakable" password. Alt-255 is one of the better alt codes. Some can be found.
Now the problem with these passes- They cannot be sent over http, and various other app's and programs. This pheonomina only applies to NT passes. So if you try to log into a box using VNC through Internet Explorer, you cannot send your Alt char's through, nor logon to webmail with that type of pass. There are many pitfalls to the Alt codes, you cannot start a service with an account that uses an alt code, unless that account is logged on interactivly.... the cmd line much more.
Now- "If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B5
not true... most crackers know of the NULL hash.. comon, they just say NULL- also windows truncates the password, not make it null. If you don't have a SP4 on NT, your password of "ilikeverygaymen" would only actually be "ilikeverygayme"- what you mentioned only applied to LM, and NTLM doesn't suffer from the same thing, NTLM would store the entire pass up to 127 chars.
M$ also has about different authenicating mechinisms.
LM (not case sensitive)NTLM(case sensitive) [these tow are the default on nt/2k/xp- they are stored in the SAM, 2k/xp have the ability to not store the LM hash, but the NTLM is still there]
NTLMv2(case sensitive)
Kerberos (case sensitive, time stamped etc..)
I will tell you why alt codes, espically 255, won't get cracked- John the ripper, and l0pht both think that the ALt+255 password I used, is actually 3 chars. That's the problem. I type ALT+255 and see only 1 astrick(*), that char is Unprintable, there is no char assioated with that code (typically). 1 astrick, and l0pht and John think there are 3... there must be something in the way that windows handles unicode strings and then the way it encrypts them. I dunno, I have used all the crackers out there, made changes to the code of the ones I've used for years, and can't get the 1 char pass :)
I can go on and on- These are my recomendations- similar to those mentioned above:
Use Spaces- they are ligit, and do not contribute to the password's weakness.
Use MixEd CASe passwords
Minimum length should be 8-10, most users can't even handle that...:p
Tell your users of subsitution- !l0v3YuO 3@+m3 r@w g##dPA$$2h@v3!) (iloveyou eatme raw goodpass2have!) )
LM is what is weak, NTLM is 2 steps in the right direction but still weak, LM might as well of not even be there...
Using tools like pwdump3e.exe will dump the SAM- with the LM and NTLM hashes.
And to the point finally, if your username was:
WGates
These would not be acceptable passes:
12wgAtEs12
w!NgaTes1988
frontgates56
+setagw)(*^ [backwards]
you should experiment, and you can adjust certain values.
Although a subsituted one would go- 00wg@tes)) would work.
GL
-N30
NTLM did suffer from the truncateing before sp4 i believe.. should of been clearer- and I think I may be in trouble: https://www.experts-exchange.com/questions/20540918/Anyone-ever-use-Cain-to-crack-a-pwl-file-sucessfully.html
-NEO
-NEO
Hmmmmm....this is why I spend more time on protecting the "hash" then on worrying about what password billybob down in the warehouse uses to logon with. Who can remember all this stuff all the time or even try to get folks to follow these rules (can you say " service vendor" kiddies :-) )
<<Comment from NEOsporin 03/11/2003 05:58AM PST
"What you mentioned only applied to LM">>
Yes I'm aware, that's why the quote says "LM hash". The article clearly explains that NTLM does not suffer the same constraint.
<<Comment from NEOsporin 03/11/2003 05:58AM PST "the problem with these [Alt] passes- They cannot be sent over http, and various other app's and programs.">>
I agree, that's a very good point.
Regarding LC4, as I recall the only way to crack Alt codes in LC4 or John the Ripper is to use the Custom character feature under Brute Force Crack and add them in manually or add them to a custom dictionary. None of the pulldowns in LC4 offer Alt codes, so if you have not created a custom dictionary with Alt codes or added them to your Custom Character Set then that would explain your inabilty to crack 1 a character password, which is easily done with the correct ascii dictionary.
http://www.asciitable.com
"A general rule of thumb is that an acceptable password should not be capable of being broken by a brute-force attack in less than the expected lifetime of the password. An eight-character randomized password with mixed case letters will provide adequate protection only if the password is changed at least once every three months. "
For those interested;
Below is an excellent article on what the implications are of different passwords and how long it takes to crack an 8 character password based on the character set used.
****** Combating the Lazy User: An Examination of Various Password Policies and Guidelines ******
http://www.sans.org/rr/authentic/lazy_user.php
"What you mentioned only applied to LM">>
Yes I'm aware, that's why the quote says "LM hash". The article clearly explains that NTLM does not suffer the same constraint.
<<Comment from NEOsporin 03/11/2003 05:58AM PST "the problem with these [Alt] passes- They cannot be sent over http, and various other app's and programs.">>
I agree, that's a very good point.
Regarding LC4, as I recall the only way to crack Alt codes in LC4 or John the Ripper is to use the Custom character feature under Brute Force Crack and add them in manually or add them to a custom dictionary. None of the pulldowns in LC4 offer Alt codes, so if you have not created a custom dictionary with Alt codes or added them to your Custom Character Set then that would explain your inabilty to crack 1 a character password, which is easily done with the correct ascii dictionary.
http://www.asciitable.com
"A general rule of thumb is that an acceptable password should not be capable of being broken by a brute-force attack in less than the expected lifetime of the password. An eight-character randomized password with mixed case letters will provide adequate protection only if the password is changed at least once every three months. "
For those interested;
Below is an excellent article on what the implications are of different passwords and how long it takes to crack an 8 character password based on the character set used.
****** Combating the Lazy User: An Examination of Various Password Policies and Guidelines ******
http://www.sans.org/rr/authentic/lazy_user.php