[ISN] Security UPDATE--Mathematical Strength of Passphrases--November 3, 2004

InfoSec News isn at c4i.org
Thu Nov 4 03:13:30 EST 2004


This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which you
might be interested. Please take a moment to visit these advertisers'
Web sites and show your support for Security UPDATE.

Debunking the Top 5 Myths of Outsourcing Email Security

Get thawte's New Step-by-Step SSL Guide for MSIIS


1. In Focus: Mathematical Strength of Passphrases

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: New Security Risk Management Guide
   - Feature: Event Response

3. Security Matters Blog
   - Microsoft's Virtual Lab
   - Need Hands-on Time in a Cisco Lab?

4. Instant Poll

5. Security Toolkit
   - FAQ
   - Security Forum Featured Thread

6. New and Improved
   - SSL VPN for Multiplatform Clients


==== Sponsor: Postini====
Debunking the Top 5 Myths of Outsourcing Email Security
   As spam and email-borne viruses continue to threaten the
productivity and stability of email systems, enterprises are
evaluating various anti-spam email security solutions including buying
software or appliances for deployment in-house, or outsourcing email
security to a managed service. In this free White paper, you'll find
out the five most common myths surrounding the concept of outsourcing
email security. Plus, you'll gain an understanding of the benefits
gained from using a managed service for email security including
improved protection against new email threats and attacks, lower
infrastructure costs, less administrative burden, and reduced risk and
complexity. Get this white paper now!


==== 1. In Focus: Mathematical Strength of Passphrases ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about why passphrases might be a better idea than
passwords. In essence, passphrases are longer and stronger, easier to
remember, and more resistant to the assaults of many of the more
popular password crackers.

In previous editions of this newsletter, I've mentioned articles by
Jesper Johansson, Microsoft security program manager. Recently,
Johansson published part 2 of the three-part series "The Great
Debates: Pass Phrases vs. Passwords," which compares passphrases and
passwords. In part 1 (at the first URL below), Johansson covers the
fundamentals, including how passwords are stored. In part 2 (at the
second URL below), he looks at the strength of each approach, and in
part 3, due out later this month, if I understand correctly, he will
offer guidance on how to select stronger passwords and configure
password policy.

Part 2 of the series is very interesting because Johansson offers
insight into why "longer is stronger" in many cases. Some
password-cracking tools attempt to precompute all possible hashes and
store them on disk in order to quicken computation time when trying to
crack a given password. Johannson points out that precomputing for LAN
Manager (LM) hashes is feasible because storing all possible hashes
for a 14-character password, for example, based on a 76-character set
(the number of characters on a standard American English keyboard when
you include lower- and uppercase letters, numbers, punctuation, and
special characters) would require about 310TB of storage. Granted,
that's a huge amount of data, but storing it is feasible given the
file systems available today. On the other hand, trying to store all
the possible NT hashes given the same 14-character password and
76-character set wouldn't be feasible because NT's hash algorithm
produces longer hashes that would require 5,652,897,009 exabytes (EB)
of storage, which according to Johannson, "exceeds the capacity of any
file system today." So you can see that using at least 14 characters
for passwords and NT hashes makes cracking take much longer than using
shorter passwords and LM hashes because all the possible NT hashes
can't be precomputed and stored to disk to save processing time.

If all the characters in a password are alphanumeric, and especially
if all the letters are the same case, then cracking doesn't take as
long as if some nonalphanumeric characters and mixed-case letters are
used. As you might know, cracking programs check first for common
words using techniques such as dictionary attacks. And if you use only
upper- or lowercase letters, the alphanumeric characters add up to
only 26 letters and 10 digits, or 36 characters. But if you use the
entire set of 76 characters, you greatly increase password strength
because you increase the amount of time required to crack your

Essentially, the strength of a password (or passphrase) is a function
of the size of the character set, the number and randomness of
characters used from that set, and the computing power of the platform
used to attempt to break the password. Because you can't precisely
determine which platform crackers might have at their disposal, you
could assume the worst-case scenario--that they have the power of a
distributed computing network and massive amounts of storage and will
therefore be able to crack your password much more quickly than if
they worked alone or with a few associates. That means you should
consider using password policies that defend against such threats as
much as possible by requiring passwords longer than 14 characters,
requiring some nonalphanumeric characters, defending your network at
all levels against sniffing, and so on.

If you're interested in more information about password strength or
need some logical reasoning to justify new password policies for your
network, be sure to read Johannson's articles. He goes into a lot of
detail (which isn't over the head of a typical network administrator)
and offers several anecdotes and cases studies that I think you'll
find interesting. Also, please take a moment to visit our Security Hot
Topic Web page and answer our latest Instant Poll question: "What
password length do you enforce on your network?" I'm interested to
know whether you agree that longer passwords are stronger passwords.

On another note, we're happy to announce the IT Prolympics--a contest
designed to recognize the most proficient Active Directory (AD)
experts in the nation. The gold medal winner will get an
all-expenses-paid trip to TechEd 2005. Plus, we'll feature photos and
test scores of gold, silver, and bronze winners in the January issue
of Windows IT Pro magazine. Learn more about IT Prolympics and enter


==== Sponsor: thawte ====
Get thawte's New Step-by-Step SSL Guide for MSIIS
   In need of a SSL Certificate for your Microsoft Internet
Information Services (MS IIS) web server? This guide will provide a
solution for your need by demonstrating how to test, purchase, install
and use a digital certificate on your MSIIS web server. Best practices
are highlighted throughout this guide to help you ensure efficient
ongoing management of your encryption keys and digital certificates.
You will also discover how a particular digital certificate can
benefit your business by addressing unique online security issues to
build customer confidence.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: New Security Risk Management Guide
   Microsoft has published a new Security Risk Management Guide that
helps people "plan, build, and maintain a successful security risk
management program." The new guide is available for free on the
company's TechNet Web site.

Feature: Event Response
   Windows event logs are a crucial source of information for Windows
IT pros. They can warn you of impending problems and alert you to
security incidents--but only if you keep on top of them so that you
can react to problems quickly. Unfortunately, that's easier said than
done. Randy Franklin Smith reviews three tools that monitor event logs
and send you alerts.


==== Announcements ====
   (from Windows IT Pro and its partners)

Are You Using Virtualization Technology? If So, You Could Be a
Virtualization Hero!
   Share your experiences using virtualization (aka virtual machine)
products to solve IT and business problems. Enter the Windows IT Pro
Virtualization Hero contest, and tell us how you used virtualization
technology in innovative ways to benefit your business. Winners will
receive a copy of Microsoft Virtual Server 2005. Also, you can post a
comment in our Virtualization Technology blog, moderated by members of
Microsoft's Virtual Server team. To enter the blog and for a link to
the contest, click here:

Subscribe Now to Windows IT Pro with Exclusive Online Access!
   Windows & .NET Magazine is now Windows IT Pro! Act now to get the
November issue, which features a Linux primer for Windows
administrators, the how-tos of making NTBackup work, and a checklist
for Sarbanes-Oxley compliance. You'll save 30% off the cover price and
receive exclusive subscriber-only access to our entire online library
with your paid subscription! This is a limited-time offer, so click
here to order today!

Get a Quick Reference Guide to the Latest Antispam Developments
   A recent survey shows that spam is the number one pain point for IT
pros, and spammers find new methods to avoid filters every day.
Counter spam by learning the essentials for ensuring user
productivity, increasing mail-server efficiency, decreasing storage
requirements, managing bandwidth, and controlling TCO. Download this
free, quick reference guide now!


==== Hot Release ====
Free Solution Brief: Security Protection Strategies for NT4 Devices
   Do you have legacy applications running on NT4? Did you know that
Microsoft will no longer support the platform with security hot-fixes
leaving many organizations without a credible protection strategy?
Download this free white paper to learn how to protect the Windows
platform without relying on patching.


==== 3. Security Matters Blog ====
   by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Microsoft's Virtual Lab
   Did you know that Microsoft has a virtual lab? I recently learned
about the TechNet Virtual Lab, which lets people test the company's
latest software in a sandbox environment.

Need Hands-on Time in a Cisco Lab?
   The folks over at the Firewall.cx Web site have announced they are
providing a "free fully equipped lab" with Cisco hardware.

==== 4. Instant Poll ====

Results of Previous Poll:
Do you use Mac OS X on your network?
   The voting has closed in this Windows IT Pro Security Hot Topic
nonscientific Instant Poll. Here are the results from the 46 votes.
   - 33% Yes
   - 7% No, but we intend to
   - 61% No
   - 0% I'm not sure
(Deviations from 100 percent are due to rounding.)

New Instant Poll:
What password length do you enforce on your network?
   Go to the Security Hot Topic and submit your vote for
   - 14 or fewer characters
   - 15 to 24 characters
   - 25 to 34 characters
   - 35 to 44 characters
   - 45 or more characters

==== 5. Security Toolkit ====

   by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Does Microsoft provide a tool to help you determine the meanings of
error codes?

Find the answer at

Security Forum Featured Thread
   A forum participant has a computer with a file named *yhukyp.exe
that runs at boot up. The file is hidden in the All Users startup
directory. When he deletes the file, it's copied back from somewhere
else. He's looked in the registry under Run and RunOnce and at the
system.ini and win.ini files. He wonders whether anyone knows of a
guide that might describe where to find the program on the system.
Join the discussion at


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
IT Pro at http://www.windowsitpro.com/events )

Securing Your Organization's Messaging Traffic
   In this free Web seminar, security expert Randy Franklin Smith will
take a high-level look at the current security trends in the industry,
the emerging threats, and the threats that have become passe. Plus,
you'll learn about the commonly held misconceptions about security
patches and which kinds of attacks companies are reporting in
increased numbers. Register now!


==== 6. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

SSL VPN for Multiplatform Clients
   F5 Networks announced a new version of its FirePass Controller, a
Secure Sockets Layer (SSL) VPN solution. With this release, F5 offers
secure remote access to any application from clients that include
Windows, Linux, Macintosh, Solaris, PocketPC, and other PDAs (iPAQ and
Toshiba e800 devices). F5 also offers more granular access control and
simplified management, making it easier to control and manage employee
and partner access. The new FirePass 4100 enterprise-class hardware
platform offers accelerator cards that speed SSL data traffic and
provide data and key protection for government organizations. FirePass
Controller 5.2 base pricing starts at $24,990 (list) for 100
concurrent users on the FirePass 4100 hardware platform. For more 
information, go to http://www.f5.com

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at windowsitpro.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://www.windowsitpro.com/forums
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Security Administrator, the
leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for internal
users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list