FriendshipGarden

GardenTalker · Posted: Wed Jan 23, 2008 2:48 pm Post subject: Ten Windows Password Myths

Ten Windows Password Myths
by Mark Burnett
last updated March 7, 2002

With all of our advances in security technology, one aspect remains constant: passwords still play a central role in system security. The difficulty with passwords is that all too often they are the easiest security mechanism to defeat. Although we can use technology and policy to make passwords stronger, we are still fighting the weakest point in any system: the human element.

Ultimately the goal is to get users to choose better passwords. However, it is not always clear how to achieve that goal. The problem is that as creative as humans are, we are way too predictable. If I asked you to make a list of totally random words, inevitably some sort of pattern will emerge in your list. Selecting good passwords requires education. System administrators need to be educated and that education needs to be passed on to end users. This article is meant to bring you closer to understanding passwords in Windows 2000 and XP by addressing common password myths.

Myth #1: My Password Hashes Are Safe When Using NTLMv2

Many readers will be familiar with the weaknesses in LanManager (LM) password hashes that made L0phtcrack so popular. NTLM made hashes somewhat stronger by using a longer hash and allowing both upper and lower-case letters. NTLMv2 made even more advances by computing a 128-bit key space and using separate keys for message integrity and confidentiality. It also uses the HMAC-MD5 algorithm for further message integrity. However, Windows 2000 still often sends LM or NTLM hashes over the network and NTLMv2 is also vulnerable to in-transit (also known as replay) attacks. And since LM and NTLM password hashes are still stored in the registry, you will still be vulnerable to attacks against the SAM.

It will still be some time until we are completely free from the grips of LanManager. Until then, do not assume that your password hashes are safe.

Myth #2. Dj#wP3M$c is a Great Password

A common myth is that totally random passwords spit out by password generators are the best passwords. This is not true. While they may in fact be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm. cont.. http://www.securityfocus.com/infocus/1554

GardenTalker · Posted: Wed Jan 23, 2008 2:50 pm Post subject: Safeguarding Your Passwords

http://blog.washingtonpost.com/securityfix/2008/01/safeguarding_your_passwords_1.html
Safeguarding Your Passwords

It's tough to navigate the Web and do business online without having to remember dozens of passwords, yet in my experience, very few people give much thought to securing these precious credentials. Most folks simply take advantage of the simple password storage features built into Web browsers like Internet Explorer and Firefox. However, there are some alternatives that I'd like to spotlight, which can help Web users more safely generate, manage and store passwords.

I've never trusted the password store feature in Internet Explorer, perhaps because the methods for filching data stored in IE's "protected storage" area are well-documented, not to mention used in a ton of malicious software (plus, I also don't use IE for regular Web browsing). I do use Firefox's password storage feature, but only for sites that do not store my personal or financial data, such as the Web site of my local library, and certain online user forums.

One thing to note about password storage in Firefox: If you have not enabled and assigned a "master password" to manage your passwords in Firefox, anyone with physical access to that computer and user account can view the stored passwords in plain text, simply by clicking "Options," then "Show Passwords." To protect your passwords from local prying eyes, drop a check mark into the box next to "Use Master Password" at the main Options page, and choose a strong password that you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.

There are several third-party programs that can help users safeguard more sensitive passwords. My favorite -- Password Safe -- is a simple and free program for Microsoft Windows that also protects your passwords with a master password using the secure "twofish" encryption algorithm. (Take care to pick a strong master password, but one that you can remember: Just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.)

Once you have protected Password Safe with a master password, you are ready to start adding passwords. A nice feature of this program is auto-fill. With the main Password Safe window open, right click on an entry, select "browse to URL" and it will load the request site in your default browser. Then, right click on the Password Safe entry again and select "perform auto fill," and watch the program enter your stored username and password at the site and log you in automatically.

Password Safe includes a built-in password generator that can create strong passwords for you, and the program will give you feedback about whether any phrase you create is strong enough to avoid being guessed by automated password-cracking tools. By default, the program locks you out after five minutes of inactivity, requiring you to enter the master password again before using the program (you can change this and a myriad other settings from the Password Safe "options" menu.) cont...