[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Choosing good passwords - correction - pass phrases - THE OFFICIAL BLOG OF THE SBS "DIVA"
Mon, Jan 24 2005 21:14 bradley

Choosing good passwords - correction - pass phrases

Configure Password Policies

Using strong passwords is important, and configuring password policies to enforce strong passwords helps keep the Windows Small Business Server network secure. After you configure or change password policies, all users are required to change their passwords the next time they log on. The password policy options are as follows:

  • Password must meet minimum length requirements. This option determines the least number of characters that a password can contain. Setting a minimum length protects your network by preventing users from having short or blank passwords. The default minimum length is 7 characters.  [my note... I think we'll all agree that we're kicking this one up past 14 in our own consultant recommendations]
  • Password must meet complexity requirements. This option determines whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name and must contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Numerals (0 through 9)
    • Nonalphanumeric characters (such as , !, $, #, and %)
  • Password must be changed regularly. This option determines the period of time (in days) that a password can be used before the system requires the user to change it. The default maximum password age is 42 days.
  • Policies go into effect. You can specify when the policies take effect. The default is three days, but the range is "immediately" to seven days.

    You can choose to configure the password policies immediately or after a specified period of time. If you choose to configure password policies immediately, you must use strong passwords to log on to each client computer. You can simplify the process of setting up client computers by choosing to delay configuring the password policies until your configuration is complete. You will be able to work on the client computers without the password policy restrictions. If you use this option, choose to enable the policies after you have set up the client computers but before the users log on for the first time.

    P.S.  remember though...stop thinking passwords...think passphrases!!

Filed under:

# Passwords vs Passphrases

Tuesday, January 25, 2005 3:44 AM by TrackBack

# re: Choosing good passwords - correction - pass phrases

Tuesday, January 25, 2005 11:50 AM by bradley

Don't be misled by anyone who suggests that the basic requirements of a strong password or using passphrases is going to prevent you from being cracked.

The main reason why people are cracked quickly and particularly over a network connection is because they're PREDICTABLE.

Yes.
If MS says for you to do something, it might get you past the point of being stupidly crackable, but it will still make you PREDICTABLE.
If I tell you to do something, if the cracker has foreknowledge of that information, it makes you PREDICTABLE.
If you construct your password like 99% of the rest of the world, you're PREDICTABLE.
If you use a default password, you're PREDICTABLE.
If you use a password which is used so often it's in a cracker's dictionary, you're PREDICTABLE.

So why does a hacker depend on predictableness? Because it means that he doesn't have to try every possibility. Because it means that he can throw out the 16 million or more possibilities of a "Strong Password" and crack your password within a few hundred or thousand tries by simply applying some rules based on PREDICTABILITY.

Why a Passphrase can suck and Strong Passwords aren't always so strong would take more than I'll want to post to a Blog, but if you make passwords according to the following you'll probably be plenty resistent to cracking

- Longer than 15 characters. Better yet, longer than 23.
- At least 2 of the 4 categories. 3 is not really critical, but can help and everything helps especially if the password doesn't change often or is critically important.
- Use at least one non-romantic language word. Know Russian? Arabic? Hebrew? Thai? Good stuff to include in a <long> password.
- Don't reference any information about you or your business such as addresses, dates, phone numbers, SSIDs, driver's licenses, hobbies and more. Although those might not be tried by an wide-ranging attack, all those items are easily discovered on the Internet and can be added to a cracker's dictionary if he's intent on just cracking <you>.

And, implement good password policy:
Change Passwords often. 42 days should be considered minimally sufficient. Monthly or better is <very> much prefered if your Users can tolerate it.
Impose good History. Especially if your password effectiveness is long, make sure they're not used, maybe in the same year.
"Three Strikes and you're Out!" - Don't let crackers hammer on you all day long. Limit consecutive failures before enforcing a timeout. I know a couple businesses who won't even tolerate one failure before lockout.

Tony






# Group Policies anyone?

Friday, September 16, 2005 1:01 PM by TrackBack