Security UPDATE--Passphrases vs. Passwords--October 27, 2004

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Free Patch Management White Paper from St. Bernard Software

http://www.windowsitpro.com/whitepapers/stbernard/patchmanagement/index.cfm?code=1027sec_P

Free Solution Brief: Security Protection Strategies for NT4 Devices

http://www.windowsitpro.com/whitepapers/eeye/protectionstrategies/index.cfm?code=1027sec_s

1. In Focus: Passphrases vs. Passwords

2. Security News and Features

- Recent Security Vulnerabilities

- Using WMI Filters with GPOs

- Windows XP Pro x64 Data Protection Features

3. Security Matters Blog

- Malware for Macs

- MSDN Magazine: Coding Your Way to Better Security

4. Security Toolkit

- FAQ

- Security Forum Featured Thread

5. New and Improved

- Lock Out Unwanted USB and Other Devices

- Help Users Self-Manage Passwords

==== Sponsor: St. Bernard Software ====

Free Patch Management White Paper from St. Bernard Software

Successful patch management is a core component of maintaining a secure computing environment. With a growing number of patches being released by Microsoft weekly, IT administrators must be vigilant in assuring that the machines on their networks are accurately patched. Although Microsoft offers tools to assist administrators with the tasks of patching, they are often time-consuming and far from comprehensive. However there are solutions on the market that can reliably and accurately automate the tasks involved in successful patch management. In this free white paper, learn more about the patch management dilemma and patch management solutions. Download this free white paper now!

http://www.windowsitpro.com/whitepapers/stbernard/patchmanagement/index.cfm?code=1027sec_P

==== 1. In Focus: Passphrases vs. Passwords ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

For a long time, people have argued the need for longer and more complex passwords. The idea behind the argument is that short, simple passwords are far easier to crack than long, complex passwords. Some people even prefer randomly generated passwords, which can be even more difficult to crack because they typically aren't based on some alteration of a known word in a given language.

You might already know that Windows 2000 and later allow for a maximum password length of 127 characters. The allowed characters include punctuation, special characters, and even Unicode characters. The reason for the 127-character limit is that the password character array is a set of 256 bytes. Because Unicode characters require two bytes to represent one character, the maximum number of characters that can be stored in the array is 127, or half the size of the array itself.

The ability to use 127 characters allows far more complex passwords or passphrases than many of us use. I suppose the only real difference between a password and a passphrase is that a passphrase is a series of words with a space between them, and passphrases might tend to be longer than passwords.

Some of you might know of Robert Hensing, who works as a member of Microsoft's Security Incident Response Team. Hensing has a blog (syndicated at the first URL below, unsyndicated at the second URL below), and back in July, he wrote an interesting blog article (at the third URL below) that argues for the use of passphrases instead of passwords.

http://weblogs.asp.net/robert_hensing/Rss.aspx

http://weblogs.asp.net/robert_hensing/

http://weblogs.asp.net/robert_hensing/archive/2004/07/28/199610.aspx

In his article, Hensing explains why he thinks longer passphrases are superior. Essentially, it's because they take longer to crack. One can precompute a huge set of possible password hashes, then use these to minimize the time necessary to crack a given password. So shorter, single-word passwords are less secure because people can crack them really fast with precomputed hashes and other password-cracking tools. But the hashes of longer passphrases that include a series of words or random character combinations are far more difficult to crack because they require far more time. One premise behind password security is that a password should probably have a life span that's shorter than the time necessary to crack it. That way, the password will have been changed to something else before someone can crack it.

Granted, an entity that really wants to know your password can use certain methods, such as distributed computing and super-fast computers, to crack it much faster than the average intruder could, no matter the length. But most intruders probably aren't capable of attaining such resources, so passphrases and short passphrase life spans could keep a large percentage of intruders completely at bay. Thus, they're worth considering.

To enforce the use of passphrases, you can establish policies that require a certain minimum number of characters. For example, if you require at least two dozen characters in a password, your computer users might be inclined to think of a phrase, which is of course easier to remember than a long string of characters. If you're interested in the concept, read Hensing's blog article and consider the comments from various readers.

==== Sponsor: eEye Digital Security====

Free Solution Brief: Security Protection Strategies for NT4 Devices

Do you have legacy applications running on NT4? Did you know that Microsoft will no longer support the platform with security hot-fixes leaving many organizations without a credible protection strategy? Enterprises worldwide are frequently faced with the task of migrating their critical digital assets to newer, more advanced, platforms as vendors 'sunset' or 'end of life' older platforms and versions. Unfortunately, this upgrade is not always an option for certain market verticals or types of assets within the enterprise. Download this free white paper to learn how to protect the Windows platform without relying on patching.

http://www.windowsitpro.com/whitepapers/eeye/protectionstrategies/index.cfm?code=1027sec_s

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Using WMI Filters with GPOs

Most IT pros are familiar with the two most common methods for applying Group Policy: directly on the container (e.g., site, domain, organizational unit--OU, local object) and indirectly through security permission restrictions. In Windows Server 2003, Microsoft added Windows Management Instrumentation (WMI)-filtering capabilities to let you further hone the scope of a Group Policy Object (GPO). WMI filters let you apply a GPO to only certain members of a container that satisfy the criteria that the filter specifies. Jeff Fellinge explains how WMI works in this article on our Web site.

http://www.winnetmag.com/Article/ArticleID/44066/44066.html

Windows XP Pro x64 Data Protection Features

Due in the first half of 2005, Windows XP Professional x64 Edition will include virtually all the features from the 32-bit Windows XP Professional except for the 16-bit subsystem that enables DOS application compatibility and various legacy protocols such as Apple Computer's AppleTalk and NetBEUI. In this article, Paul Thurrott takes a look at the data-protection features in XP Pro x64.

http://www.winnetmag.com/Article/ArticleID/44134/44134.html

==== Announcements ====

(from Windows IT Pro and its partners)

IT Security Solutions Roadshow--Best Practices for Securing Your Business from McAfee, Microsoft, and RSA Security

Join us for this free half-day event that will give you the practical hands-on experience you need to help secure your organization. Take your security to the next level with topics such as antivirus, intrusion prevention, vulnerability discovery, management, and more. Attend and enter to win tickets to a professional sports game. Register now!

http://www.windowsitpro.com/roadshows/security/index.cfm?code=1025emailannc

Enter to Win a TiVo at the Windows IT Pro eNewsletter Center

Did you know Windows IT Pro has 12 free email newsletters to help you find up-to-date, fast information about the topics you care about? Sign up now for any of our email newsletters and be entered for a chance to win a TiVo and a lifetime subscription to TiVo service.

http://www.windowsitpro.com/email

The Email Security Center--Your First Line of Defense Against Unwanted Email

The Email Security Center provides valuable tools and expertise to help secure your messaging services against attacks and unsolicited email. Our experts share the latest trends, guidance, and resources for understanding and blocking spam, viruses, and attacks while saving bandwidth, conserving server capacity, and minimizing administration costs. Sign up today!

http://www.windowsitpro.com/emailsecurity/index.cfm?code=1025emailannc

New half-day seminar! The Enterprise Alliance Roadshow

Come and join us for this free event and find out how a more strategic and holistic approach to IT planning helps organizations increase operational efficiency and facilitate the implementation of new technology. Sign up today. Space is limited.

http://www.windowsitpro.com/roadshows/serverconsolidation/index.cfm?code=1025annc

==== 3. Security Matters Blog ====

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Malware for Macs

If you use Macintosh systems on your Windows networks, be aware that a group of people have been developing a "rootkit" for Mac OS X. The kit performs a variety of actions you might want to try to prevent.

http://www.winnetmag.com/Article/ArticleID/44311/44311.html

MSDN Magazine: Coding Your Way to Better Security

The new issue of MSDN Magazine has been released. This month's content focuses almost entirely on security concerns as they pertain to developers.

http://www.winnetmag.com/Article/ArticleID/44274/44274.html

==== 4. Security Toolkit ====

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How do I set a domain to interim mode?

Find the answer at

http://www.winnetmag.com/Article/ArticleID/44199/44199.html

Security Forum Featured Thread

A forum participant has a problem when moving files and folders from an area that has write access to an area on the same shared drive that has read-only access. The files and folders are maintaining their original write permissions even though they were moved to a read-only area. He wants to know how he can make sure that the moved files and folders have read-only access. Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=126705

==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events )

New! Beware the Exchange Strangler: How a Silent Killer Is Taking Names and Bringing Down Email Servers

There is a silent killer stalking Exchange Servers in the form of "directory harvest attacks" that steal email directory names and quickly strangle server performance. In this free Web seminar, learn how to stop this "Exchange Strangler" before it can pilfer your email directory names and bring your email system to its knees. Register now!

http://www.windowsitpro.com/seminars/directoryharvestattacks/index.cfm?code=1025emailannc

==== 5. New and Improved ====

by Renee Munshi, [email protected]

Lock Out Unwanted USB and Other Devices

SmartLine offers DeviceLock 5.62, which controls which users or groups can access USB and FireWire devices, Wi-Fi and Bluetooth devices, CD-ROMs, floppy disks, and other removable devices. You can control access to devices depending on the time of day and day of the week and create a white list of USB devices that won't be locked regardless of any other settings. New in DeviceLock 5.62, you can use Group Policy to install the DeviceLock Service on target computers in an Active Directory (AD) domain. DeviceLock runs on Windows 2003/XP/2000/NT 4.0 computers. A single license is $35, and discounts are available for multiple licenses. For more information, go to

http://www.protect-me.com

Help Users Self-Manage Passwords

ANIXIS has released ANIXIS Password Reset 1.1, which lets users reset their own passwords without having to contact the Help desk or a network administrator. Users who've forgotten their passwords can use a standard Web browser to access Password Reset, which asks them to answer questions about themselves. Password Reset doesn't store the users' passwords or the answers to their password-verification questions; it stores the hashes of these answers. Password Reset uses the RSA and AES (Rijndael) encryption algorithms and runs on Windows Server 2003/2000/NT 4.0. Multi-user and enterprise-level licenses are available, with prices beginning at $360 for a 50-user license. You can download a free, fully functional evaluation version from

http://www.anixis.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]