Security UPDATE--Mathematical Strength of Passphrases--November 3, 2004

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Debunking the Top 5 Myths of Outsourcing Email Security

http://www.windowsitpro.com/whitepapers/postini/outsourcingemail/index.cfm?code=1103Sec_P

Get thawte's New Step-by-Step SSL Guide for MSIIS

http://www.winnetmag.com/whitepapers/thawte/ssl/index.cfm?code=1103Sec_2

1. In Focus: Mathematical Strength of Passphrases

2. Security News and Features

- Recent Security Vulnerabilities

- News: New Security Risk Management Guide

- Feature: Event Response

3. Security Matters Blog

- Microsoft's Virtual Lab

- Need Hands-on Time in a Cisco Lab?

4. Instant Poll

5. Security Toolkit

- FAQ

- Security Forum Featured Thread

6. New and Improved

- SSL VPN for Multiplatform Clients

==== Sponsor: Postini====

Debunking the Top 5 Myths of Outsourcing Email Security

As spam and email-borne viruses continue to threaten the productivity and stability of email systems, enterprises are evaluating various anti-spam email security solutions including buying software or appliances for deployment in-house, or outsourcing email security to a managed service. In this free White paper, you'll find out the five most common myths surrounding the concept of outsourcing email security. Plus, you'll gain an understanding of the benefits gained from using a managed service for email security including improved protection against new email threats and attacks, lower infrastructure costs, less administrative burden, and reduced risk and complexity. Get this white paper now!

http://www.windowsitpro.com/whitepapers/postini/outsourcingemail/index.cfm?code=1103Sec_P

==== 1. In Focus: Mathematical Strength of Passphrases ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last week, I wrote about why passphrases might be a better idea than passwords. In essence, passphrases are longer and stronger, easier to remember, and more resistant to the assaults of many of the more popular password crackers.

In previous editions of this newsletter, I've mentioned articles by Jesper Johansson, Microsoft security program manager. Recently, Johansson published part 2 of the three-part series "The Great Debates: Pass Phrases vs. Passwords," which compares passphrases and passwords. In part 1 (at the first URL below), Johansson covers the fundamentals, including how passwords are stored. In part 2 (at the second URL below), he looks at the strength of each approach, and in part 3, due out later this month, if I understand correctly, he will offer guidance on how to select stronger passwords and configure password policy.

http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx

http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx

Part 2 of the series is very interesting because Johansson offers insight into why "longer is stronger" in many cases. Some password-cracking tools attempt to precompute all possible hashes and store them on disk in order to quicken computation time when trying to crack a given password. Johannson points out that precomputing for LAN Manager (LM) hashes is feasible because storing all possible hashes for a 14-character password, for example, based on a 76-character set (the number of characters on a standard American English keyboard when you include lower- and uppercase letters, numbers, punctuation, and special characters) would require about 310TB of storage. Granted, that's a huge amount of data, but storing it is feasible given the file systems available today. On the other hand, trying to store all the possible NT hashes given the same 14-character password and 76-character set wouldn't be feasible because NT's hash algorithm produces longer hashes that would require 5,652,897,009 exabytes (EB) of storage, which according to Johannson, "exceeds the capacity of any file system today." So you can see that using at least 14 characters for passwords and NT hashes makes cracking take much longer than using shorter passwords and LM hashes because all the possible NT hashes can't be precomputed and stored to disk to save processing time.

If all the characters in a password are alphanumeric, and especially if all the letters are the same case, then cracking doesn't take as long as if some nonalphanumeric characters and mixed-case letters are used. As you might know, cracking programs check first for common words using techniques such as dictionary attacks. And if you use only upper- or lowercase letters, the alphanumeric characters add up to only 26 letters and 10 digits, or 36 characters. But if you use the entire set of 76 characters, you greatly increase password strength because you increase the amount of time required to crack your passwords.

Essentially, the strength of a password (or passphrase) is a function of the size of the character set, the number and randomness of characters used from that set, and the computing power of the platform used to attempt to break the password. Because you can't precisely determine which platform crackers might have at their disposal, you could assume the worst-case scenario--that they have the power of a distributed computing network and massive amounts of storage and will therefore be able to crack your password much more quickly than if they worked alone or with a few associates. That means you should consider using password policies that defend against such threats as much as possible by requiring passwords longer than 14 characters, requiring some nonalphanumeric characters, defending your network at all levels against sniffing, and so on.

If you're interested in more information about password strength or need some logical reasoning to justify new password policies for your network, be sure to read Johannson's articles. He goes into a lot of detail (which isn't over the head of a typical network administrator) and offers several anecdotes and cases studies that I think you'll find interesting. Also, please take a moment to visit our Security Hot Topic Web page and answer our latest Instant Poll question: "What password length do you enforce on your network?" I'm interested to know whether you agree that longer passwords are stronger passwords.

On another note, we're happy to announce the IT Prolympics--a contest designed to recognize the most proficient Active Directory (AD) experts in the nation. The gold medal winner will get an all-expenses-paid trip to TechEd 2005. Plus, we'll feature photos and test scores of gold, silver, and bronze winners in the January issue of Windows IT Pro magazine. Learn more about IT Prolympics and enter here:

http://www.windowsitpro.com/itprolympics

==== Sponsor: thawte ====

Get thawte's New Step-by-Step SSL Guide for MSIIS

In need of a SSL Certificate for your Microsoft Internet Information Services (MS IIS) web server? This guide will provide a solution for your need by demonstrating how to test, purchase, install and use a digital certificate on your MSIIS web server. Best practices are highlighted throughout this guide to help you ensure efficient ongoing management of your encryption keys and digital certificates. You will also discover how a particular digital certificate can benefit your business by addressing unique online security issues to build customer confidence.

http://www.winnetmag.com/whitepapers/thawte/ssl/index.cfm?code=1103Sec_2

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

News: New Security Risk Management Guide

Microsoft has published a new Security Risk Management Guide that helps people "plan, build, and maintain a successful security risk management program." The new guide is available for free on the company's TechNet Web site.

http://www.winnetmag.com/Article/ArticleID/44356/44356.html

Feature: Event Response

Windows event logs are a crucial source of information for Windows IT pros. They can warn you of impending problems and alert you to security incidents--but only if you keep on top of them so that you can react to problems quickly. Unfortunately, that's easier said than done. Randy Franklin Smith reviews three tools that monitor event logs and send you alerts.

http://www.winnetmag.com/Article/ArticleID/44093/44093.html

==== Announcements ====

(from Windows IT Pro and its partners)

Are You Using Virtualization Technology? If So, You Could Be a Virtualization Hero!

Share your experiences using virtualization (aka virtual machine) products to solve IT and business problems. Enter the Windows IT Pro Virtualization Hero contest, and tell us how you used virtualization technology in innovative ways to benefit your business. Winners will receive a copy of Microsoft Virtual Server 2005. Also, you can post a comment in our Virtualization Technology blog, moderated by members of Microsoft's Virtual Server team. To enter the blog and for a link to the contest, click here:

http://www.windowsitpro.com/articles/index.cfm?articleid=44319

Subscribe Now to Windows IT Pro with Exclusive Online Access!

Windows & .NET Magazine is now Windows IT Pro! Act now to get the November issue, which features a Linux primer for Windows administrators, the how-tos of making NTBackup work, and a checklist for Sarbanes-Oxley compliance. You'll save 30% off the cover price and receive exclusive subscriber-only access to our entire online library with your paid subscription! This is a limited-time offer, so click here to order today!

http://www.winnetmag.com/rd.cfm?code=00ep204kul

Get a Quick Reference Guide to the Latest Antispam Developments

A recent survey shows that spam is the number one pain point for IT pros, and spammers find new methods to avoid filters every day. Counter spam by learning the essentials for ensuring user productivity, increasing mail-server efficiency, decreasing storage requirements, managing bandwidth, and controlling TCO. Download this free, quick reference guide now!

http://www.windowsitpro.com/essential

==== Hot Release ====

Free Solution Brief: Security Protection Strategies for NT4 Devices

Do you have legacy applications running on NT4? Did you know that Microsoft will no longer support the platform with security hot-fixes leaving many organizations without a credible protection strategy? Download this free white paper to learn how to protect the Windows platform without relying on patching.

http://www.windowsitpro.com/whitepapers/eeye/protectionstrategies/index.cfm?code=1103sec_HR

==== 3. Security Matters Blog ====

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Microsoft's Virtual Lab

Did you know that Microsoft has a virtual lab? I recently learned about the TechNet Virtual Lab, which lets people test the company's latest software in a sandbox environment.

http://www.winnetmag.com/Article/ArticleID/44374/44374.html

Need Hands-on Time in a Cisco Lab?

The folks over at the Firewall.cx Web site have announced they are providing a "free fully equipped lab" with Cisco hardware.

http://www.winnetmag.com/Article/ArticleID/44312/44312.html

==== 4. Instant Poll ====

Results of Previous Poll:

Do you use Mac OS X on your network?

The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 46 votes.

- 33% Yes

- 7% No, but we intend to

- 61% No

- 0% I'm not sure

(Deviations from 100 percent are due to rounding.)

New Instant Poll:

What password length do you enforce on your network?

Go to the Security Hot Topic and submit your vote for

- 14 or fewer characters

- 15 to 24 characters - 25 to 34 characters

- 35 to 44 characters

- 45 or more characters

http://www.windowsitpro.com/windowssecurity#poll

==== 5. Security Toolkit ====

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Does Microsoft provide a tool to help you determine the meanings of error codes?

Find the answer at

http://www.winnetmag.com/Article/ArticleID/44330/44330.html

Security Forum Featured Thread

A forum participant has a computer with a file named *yhukyp.exe that runs at boot up. The file is hidden in the All Users startup directory. When he deletes the file, it's copied back from somewhere else. He's looked in the registry under Run and RunOnce and at the system.ini and win.ini files. He wonders whether anyone knows of a guide that might describe where to find the program on the system. Join the discussion at http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=127136

==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at http://www.windowsitpro.com/events )

Securing Your Organization's Messaging Traffic

In this free Web seminar, security expert Randy Franklin Smith will take a high-level look at the current security trends in the industry, the emerging threats, and the threats that have become passe. Plus, you'll learn about the commonly held misconceptions about security patches and which kinds of attacks companies are reporting in increased numbers. Register now!

http://www.windowsitpro.com/seminars/securemessaging/index.cfm?code=1101emailannc

==== 6. New and Improved ====

by Renee Munshi, [email protected]

SSL VPN for Multiplatform Clients

F5 Networks announced a new version of its FirePass Controller, a Secure Sockets Layer (SSL) VPN solution. With this release, F5 offers secure remote access to any application from clients that include Windows, Linux, Macintosh, Solaris, PocketPC, and other PDAs (iPAQ and Toshiba e800 devices). F5 also offers more granular access control and simplified management, making it easier to control and manage employee and partner access. The new FirePass 4100 enterprise-class hardware platform offers accelerator cards that speed SSL data traffic and provide data and key protection for government organizations. FirePass Controller 5.2 base pricing starts at $24,990 (list) for 100 concurrent users on the FirePass 4100 hardware platform. For more information, go to http://www.f5.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]