[ISN] Security UPDATE--Passphrases vs. Passwords--October 27, 2004

InfoSec News isn at c4i.org
Thu Oct 28 04:30:34 EDT 2004


This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which you
might be interested. Please take a moment to visit these advertisers'
Web sites and show your support for Security UPDATE.

Free Patch Management White Paper from St. Bernard Software

Free Solution Brief: Security Protection Strategies for NT4 Devices


1. In Focus: Passphrases vs. Passwords

2. Security News and Features
   - Recent Security Vulnerabilities
   - Using WMI Filters with GPOs
   - Windows XP Pro x64 Data Protection Features

3. Security Matters Blog
   - Malware for Macs
   - MSDN Magazine: Coding Your Way to Better Security

4. Security Toolkit
   - FAQ
   - Security Forum Featured Thread

5. New and Improved
   - Lock Out Unwanted USB and Other Devices
   - Help Users Self-Manage Passwords


==== Sponsor: St. Bernard Software ====
Free Patch Management White Paper from St. Bernard Software
   Successful patch management is a core component of maintaining a
secure computing environment. With a growing number of patches being
released by Microsoft weekly, IT administrators must be vigilant in
assuring that the machines on their networks are accurately patched.
Although Microsoft offers tools to assist administrators with the
tasks of patching, they are often time-consuming and far from
comprehensive. However there are solutions on the market that can
reliably and accurately automate the tasks involved in successful
patch management. In this free white paper, learn more about the patch
management dilemma and patch management solutions. Download this free
white paper now!


==== 1. In Focus: Passphrases vs. Passwords ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

For a long time, people have argued the need for longer and more
complex passwords. The idea behind the argument is that short, simple
passwords are far easier to crack than long, complex passwords. Some
people even prefer randomly generated passwords, which can be even
more difficult to crack because they typically aren't based on some
alteration of a known word in a given language.

You might already know that Windows 2000 and later allow for a maximum
password length of 127 characters. The allowed characters include
punctuation, special characters, and even Unicode characters. The
reason for the 127-character limit is that the password character
array is a set of 256 bytes. Because Unicode characters require two
bytes to represent one character, the maximum number of characters
that can be stored in the array is 127, or half the size of the array

The ability to use 127 characters allows far more complex passwords or
passphrases than many of us use. I suppose the only real difference
between a password and a passphrase is that a passphrase is a series
of words with a space between them, and passphrases might tend to be
longer than passwords.

Some of you might know of Robert Hensing, who works as a member of
Microsoft's Security Incident Response Team. Hensing has a blog
(syndicated at the first URL below, unsyndicated at the second URL
below), and back in July, he wrote an interesting blog article (at the
third URL below) that argues for the use of passphrases instead of

In his article, Hensing explains why he thinks longer passphrases are
superior. Essentially, it's because they take longer to crack. One can
precompute a huge set of possible password hashes, then use these to
minimize the time necessary to crack a given password. So shorter,
single-word passwords are less secure because people can crack them
really fast with precomputed hashes and other password-cracking tools.
But the hashes of longer passphrases that include a series of words or
random character combinations are far more difficult to crack because
they require far more time. One premise behind password security is
that a password should probably have a life span that's shorter than
the time necessary to crack it. That way, the password will have been
changed to something else before someone can crack it.

Granted, an entity that really wants to know your password can use
certain methods, such as distributed computing and super-fast
computers, to crack it much faster than the average intruder could, no
matter the length. But most intruders probably aren't capable of
attaining such resources, so passphrases and short passphrase life
spans could keep a large percentage of intruders completely at bay.
Thus, they're worth considering.

To enforce the use of passphrases, you can establish policies that
require a certain minimum number of characters. For example, if you
require at least two dozen characters in a password, your computer
users might be inclined to think of a phrase, which is of course
easier to remember than a long string of characters. If you're
interested in the concept, read Hensing's blog article and consider
the comments from various readers.


==== Sponsor: eEye Digital Security====
Free Solution Brief: Security Protection Strategies for NT4 Devices
   Do you have legacy applications running on NT4? Did you know that
Microsoft will no longer support the platform with security hot-fixes
leaving many organizations without a credible protection strategy?
Enterprises worldwide are frequently faced with the task of migrating
their critical digital assets to newer, more advanced, platforms as
vendors 'sunset' or 'end of life' older platforms and versions.
Unfortunately, this upgrade is not always an option for certain market
verticals or types of assets within the enterprise. Download this free
white paper to learn how to protect the Windows platform without
relying on patching.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

Using WMI Filters with GPOs
   Most IT pros are familiar with the two most common methods for
applying Group Policy: directly on the container (e.g., site, domain,
organizational unit--OU, local object) and indirectly through security
permission restrictions. In Windows Server 2003, Microsoft added
Windows Management Instrumentation (WMI)-filtering capabilities to let
you further hone the scope of a Group Policy Object (GPO). WMI filters
let you apply a GPO to only certain members of a container that
satisfy the criteria that the filter specifies. Jeff Fellinge explains
how WMI works in this article on our Web site.

Windows XP Pro x64 Data Protection Features
   Due in the first half of 2005, Windows XP Professional x64 Edition
will include virtually all the features from the 32-bit Windows XP
Professional except for the 16-bit subsystem that enables DOS
application compatibility and various legacy protocols such as Apple
Computer's AppleTalk and NetBEUI. In this article, Paul Thurrott takes
a look at the data-protection features in XP Pro x64.


==== Announcements ====
   (from Windows IT Pro and its partners)

IT Security Solutions Roadshow--Best Practices for Securing Your
Business from McAfee, Microsoft, and RSA Security
   Join us for this free half-day event that will give you the
practical hands-on experience you need to help secure your
organization. Take your security to the next level with topics such as
antivirus, intrusion prevention, vulnerability discovery, management,
and more. Attend and enter to win tickets to a professional sports
game. Register now!

Enter to Win a TiVo at the Windows IT Pro eNewsletter Center
   Did you know Windows IT Pro has 12 free email newsletters to help
you find up-to-date, fast information about the topics you care about?
Sign up now for any of our email newsletters and be entered for a
chance to win a TiVo and a lifetime subscription to TiVo service.

The Email Security Center--Your First Line of Defense Against Unwanted
   The Email Security Center provides valuable tools and expertise to
help secure your messaging services against attacks and unsolicited
email. Our experts share the latest trends, guidance, and resources
for understanding and blocking spam, viruses, and attacks while saving
bandwidth, conserving server capacity, and minimizing administration
costs. Sign up today!

New half-day seminar! The Enterprise Alliance Roadshow
   Come and join us for this free event and find out how a more
strategic and holistic approach to IT planning helps organizations
increase operational efficiency and facilitate the implementation of
new technology. Sign up today. Space is limited.


==== 3. Security Matters Blog ====
   by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Malware for Macs
   If you use Macintosh systems on your Windows networks, be aware
that a group of people have been developing a "rootkit" for Mac OS X.
The kit performs a variety of actions you might want to try to

MSDN Magazine: Coding Your Way to Better Security
   The new issue of MSDN Magazine has been released. This month's
content focuses almost entirely on security concerns as they pertain
to developers.

==== 4. Security Toolkit ====

   by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How do I set a domain to interim mode?

Find the answer at

Security Forum Featured Thread
   A forum participant has a problem when moving files and folders
from an area that has write access to an area on the same shared drive
that has read-only access. The files and folders are maintaining their
original write permissions even though they were moved to a read-only
area. He wants to know how he can make sure that the moved files and
folders have read-only access. Join the discussion at


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
IT Pro at http://www.windowsitpro.com/events )

New! Beware the Exchange Strangler: How a Silent Killer Is Taking
Names and Bringing Down Email Servers
   There is a silent killer stalking Exchange Servers in the form of
"directory harvest attacks" that steal email directory names and
quickly strangle server performance. In this free Web seminar, learn
how to stop this "Exchange Strangler" before it can pilfer your email
directory names and bring your email system to its knees. Register


==== 5. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Lock Out Unwanted USB and Other Devices
   SmartLine offers DeviceLock 5.62, which controls which users or
groups can access USB and FireWire devices, Wi-Fi and Bluetooth
devices, CD-ROMs, floppy disks, and other removable devices. You can
control access to devices depending on the time of day and day of the
week and create a white list of USB devices that won't be locked
regardless of any other settings. New in DeviceLock 5.62, you can use
Group Policy to install the DeviceLock Service on target computers in
an Active Directory (AD) domain. DeviceLock runs on Windows
2003/XP/2000/NT 4.0 computers. A single license is $35, and discounts
are available for multiple licenses. For more information, go to

Help Users Self-Manage Passwords
   ANIXIS has released ANIXIS Password Reset 1.1, which lets users
reset their own passwords without having to contact the Help desk or a
network administrator. Users who've forgotten their passwords can use
a standard Web browser to access Password Reset, which asks them to
answer questions about themselves. Password Reset doesn't store the
users' passwords or the answers to their password-verification
questions; it stores the hashes of these answers. Password Reset uses
the RSA and AES (Rijndael) encryption algorithms and runs on Windows
Server 2003/2000/NT 4.0. Multi-user and enterprise-level licenses are
available, with prices beginning at $360 for a 50-user license. You
can download a free, fully functional evaluation version from

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at windowsitpro.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://www.windowsitpro.com/forums
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Security Administrator, the
leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for internal
users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list