Password (French parole - word) is a secret word or a set of characters designed to confirm identity or authority. Passwords are often used to protect information from unauthorized access. Most computing systems use a username / password combination to authenticate a user.
Security technologies are constantly being improved, but one aspect that plays a central function remains unchanged - the existence of passwords. Everyone has long known that the names of loved ones, animal names, date of birth, etc. are usually used as passwords.
The main problem is getting users to create strong passwords. However, it is not entirely clear how to achieve this. Indeed, even in the list of completely random words that an ordinary person comes up with, there is a certain pattern, that is, these actions can be predicted. Therefore, the policy of choosing strong passwords requires a careful approach, system administrators should conduct appropriate training among users. Let's take a look at some of the main misconceptions people have about Windows passwords.
When using NTLMv2, the password hashes are fairly strong. Many are aware of the weakness of LanManager (LM) password hashes, which has led to the popularity of L0phtcrack in particular. NTLM makes password hashes more robust because it uses a longer hash and can distinguish between upper and lower case characters. NTLMv2 is even more advanced, it uses a 128-bit key and uses separate keys for confidentiality and integrity. For higher integrity, the HMAC-MD5 algorithm is used. But Windows 2000, as before, often sends LM and NTLM hashes over the network, and NTLMv2 remains vulnerable to replay attacks (in transit). Since the registry also stores LM and NTLM password hashes, the vulnerability of attacks on SAM remains. We'll have to wait some more time until we get rid of the LanManager restrictions, but for now we should hope for the strength of the password hashes.
The best password is Gfh% w3M @ x. A common myth is that the best password is the one generated by a custom generator. However, this is not entirely true. The fact is that although such passwords can be quite strong, they are extremely difficult for users to remember, are slow to enter, and are also vulnerable to special attacks on the password generation algorithm. Crack-resistant passwords are easy to create, but then the problem immediately arises with their memorability. Let's try to consider a few simple tricks. For example, consider the password [email protected] This e-mail is protected from spam robots. To see it in our browser, you need to enable java-script support. This password uses upper and lower case letters, two numbers and two characters. The length of such a password is as much as 16 characters, but it is not difficult to remember it. And typing such a password is quite easy. You can choose such words so that when typing them, the movements of the fingers of the right and left hands alternate, this will give a set of speed and reduce the likelihood that someone will spy on the password based on observations of finger movements. There are even special lists of English words that are typed by alternating keys for the right and left hands. Therefore, using structures that are easy to remember is the best technique for creating complex passwords that are easy to remember. In the course of using such structures, punctuation marks can be easily entered into the password, for example, in an e-mail address, as in the example above. Other such structures can be phone numbers, addresses, start up files, URLs, and so on. You should pay attention to some elements that make memorization easier. These can be the use of rhymes, humor, repetitions and patterns, as well as rude and even obscene words. As a result, a password will appear on the output, which will be extremely difficult to forget.
The optimal password length is 14 characters. LM divides password hashes into two seven-character hashes. In fact, this approach makes passwords more vulnerable, since a brute-force attack (or brute force attack) can be applied simultaneously to each half of the password. The 9-character password will also be divided into two parts - the 7-character hash and the two-character one. It is easy to guess that cracking a two-character hash will take a little time, but a seven-character hash will take more time, but it is also characterized by hours. Often, a short piece can make it much easier to break a long piece. It is for this reason that many professionals recommend having a password with an optimal length of 7 or 14 characters, which will already correspond to two 7-character hashes. NTLM improves this by using all 14 characters to store password hashes. This really makes life easier, except that the NT dialog box limits the password to 14 characters, thus the system "hints" that this length of the password will be optimal for security. In newer versions of Windows, things are different, in Windows 2000 and XP passwords can already be up to 127 characters long, there is no longer any limit of 14 characters. Moreover, the following circumstance was discovered - if the password is more than 14 characters long, then Windows does not even save LanMan hashes correctly. A certain constant is stored as the LM hash, which is equivalent to a zero password. Since the password is naturally not zero, it will not be possible to crack this hash. With this in mind, using passwords with a length of 14 characters or more would be a good solution. However, it is impossible to implement this using security templates or group policy, since no one will allow you to set the minimum password length to 15 characters.
A good password is a combination like M1chael99. For the password complexity requirements of Windows 2000, such a combination is fine, although it is actually not difficult at all. Today, password cracking programs try millions of combinations per second, they don't need to replace the letter "i" with the number "1" and back, or add a couple of numbers to the end of a word. Some programs even check such sets of methods used by users, guessing long and seemingly strong passwords. Therefore, you should be more unpredictable. Instead of replacing "o" with "0", you can try to use two parentheses "()", instead of "1", you can try using the character "l". Do not forget that the stability will certainly increase with the lengthening of the password.
Sooner or later, any password can be cracked. First of all, it is worth mentioning the methods that accurately allow you to find out the password, for example, using a keyboard simulator or using social engineering. However, abstracting from them, we can say with confidence that there are ways to create passwords that cannot be cracked in a reasonable time. First of all, if the password is long, then cracking it will take quite a lot of time or computing resources, which is the same as using an uncrackable password. Theoretically speaking, any password can be cracked, but this may not happen in our lifetime and not even in our grandchildren. Thus, if the password is selected by a non-government agency with the appropriate computing power, then there is practically no chance of finding out the password. Although computer technology is striding forward by leaps and bounds, one day this myth may become a reality.
Passwords need to be changed monthly. This tip works well for some low-security passwords, but it doesn't work for regular users. After all, such a requirement forces users to use fairly predictable passwords each time they change, or to use some methods that reduce the effectiveness of security. And the user does not like constantly coming up with new passwords every 30 days and remembering them, too. Instead of limiting the age of a password, it is better to focus on creating more robust ones, increasing user competence. For an average user, 3-4 months is enough time to store a password. This move, by giving people more time, will provide an opportunity to convince them to use more complex passwords.
It is strictly forbidden to write down your password anywhere. Although many try to follow this advice, sometimes you still have to write down your passwords. In this case, users will feel more comfortable creating a complex password, because they will be sure that even if they forget it, they can read it in a safe place. Attention should also be paid to how to write down passwords correctly. Of course, it is foolish to write down the password on a sticker on the monitor, but keeping a paper with a password in a safe or at least a locked drawer can be a sufficient measure. Do not neglect security when disposing of paper with an old password; many hacks have occurred precisely because hackers carefully scanned the garbage of the organization in search of recorded old passwords. Users often resort to the idea of storing their passwords in specialized software utilities. These products can store multiple passwords that are protected by a master master password. However, its loss is fraught with the fact that an attacker will have access to the entire list of passwords at once. Therefore, before allowing users to save passwords using such tools, you should consider the following nuances. Firstly, this is a software method, therefore, it is vulnerable to attack, and secondly, the master password itself can become the only reason for the failure of all user passwords at once. Often, the master password is also made fairly simple. It is best to combine physical security, company policy, and technology. Sometimes passwords just need to be documented. It happens that the system administrator gets sick or quit. But often this is the only person who knows administrator passwords for access, including to servers. It is often even necessary to approve of writing down passwords, of course this step should be extremely thoughtful and used in extreme cases.
The password must not contain spaces. Despite the fact that this is not very popular among users, Windows XP and Windows 2000 allow using passwords and spaces. In fact, if there is such a character in Windows, then it can be used in the password as well. Thus, a space is a perfectly acceptable character for a password. However, some applications trim spaces, so it’s better not to use a space at the very beginning and very end of the password. By the way, using spaces, users can create more complex passwords. Since this symbol can be used between words, you can come up with passwords from several words with it. An interesting situation has developed with the space in general, since it does not fall into any of the categories of password complexity in Windows. After all, this is not a letter, and not a number, and in general it is not considered a symbol. Thus, if there is a desire to make the password more complex, then the space is no worse than any other character, its use in most cases does not reduce the complexity of the password. However, one cannot fail to mention one significant drawback that arises when using a space. When pressed, the key creates a unique sound that can hardly be confused with anything. Therefore, the use of a space in the password is produced by a unique sound. Therefore, in general, you can use spaces, just do not abuse it.
You should use the Passfilt.dll library. This library forces users to create strong passwords. In Windows XP and 2000, this happens through a system policy that defines the complexity requirements for it. While this policy is pretty good, many users get upset when it turns out that their passwords don't work because they aren't complex enough. It happens that even experienced administrators may not be able to enter a password right away until it passes the difficulty requirements. Unsurprisingly, users will not like this measure, they are unlikely to support the password security policy. In such a situation, the best solution is to require long passwords instead of this policy. If you do some calculations, it turns out that a 9-character password, in which the letters are in lower case, is approximately the same in complexity as a 7-character password, in which both case letters and numbers are used. The only difference is how the password cracking programs handle the different subsets. Some of these tools first go through all combinations of letters in lower case and only then begin to consider options using numbers and other symbols. You can also use the Platform SDK sample, modifying it to be more lenient when it comes to choosing a password. An important step in this direction will be organizing work with users, teaching them how to complicate passwords, providing them with the necessary ideas.
For the most stable password, use ALT + 255. To debunk this myth, consider using characters with a large ASCII code, this should complicate the password. They cannot be naturally typed on the keyboard, however, by holding ALT and typing the character code on the keyboard, you can enter it. Sometimes this method can be useful, but we will immediately turn to its disadvantages. First of all, holding down the ALT key and then entering numbers can be easily noticed by others, and secondly, the creation of one such character will require pressing five keys at once. Maybe it would be worthwhile to simply make the password longer by this number of characters than to enter each time using an intricate combination of essentially one character. So, a password of 5 characters, which is entered using large ASCII codes, will require 25 clicks. The total number of combinations for this length will obviously be 255 ^ 5, but for a 25-character password created only from lowercase letters, the number of combinations is 26 ^ 25, which is incomparably greater. So it's better to use long passwords. It is also important to remember that in some portable computers, keyboards do not always allow you to enter a code from the numeric keypad, and not all command line utilities support passwords using ASCII codes. For example, ALT + 0127 in Windows can be used, but it will not be possible to type it at the command line. And vice versa, codes of some characters can be typed in the command line, but they cannot be used in Windows dialog boxes (ALT + 0009, ALT + 0010, etc.). In rare cases, such disagreements can be quite uncomfortable. However, the use of extended character codes is often useful and justified. For example, in the case of using a service account or local administrator account, which are rarely used, the use of extended characters deserves the extra keystrokes. This approach can be a sufficient guarantee against hacking, since few password crackers are configured to handle extended characters. In such cases, you shouldn't settle for a large ASCII code. It turns out that you can actually use the full set of Unicode, which has 65535 characters.However, keep in mind that ALT + 64113 will still not be as stable as an equal number of keystrokes with regular characters. Finally, let's pay attention to the use of non-breaking space with the code ALT + 0160. This character is displayed as a regular space and can deceive someone who accidentally saw your password. For example, when using a keyboard logger, a non-breaking password in the log file will look like a regular space. If the cracker does not look at the valid ASCII code and knows nothing about the non-breaking space, then the resulting password will yield nothing.