Passwords are the keys to access control. You can do much for the security of your network if you implement a strong password policy and help users to develop strong passwords.
What Makes a Strong Password?
A strong password must be defined in the context of its use. No matter the system, we know that in general long passwords are more secure than short ones. And we know that passwords that are not dictionary -words or the same as account names, pet names, parents' names, and so on are harder to guess or crack. However, because password-cracking software is specific to the operating systems it is used on, and because ordinary desktop computers have the speed and memory available to crack ordinaiy passwords in ever reduced amounts of time, creating strong passwords requires more than following the recommendations of the assigned password policy in the domain.
Password crackers work by attempting dictionary and heuristic attacks followed by a brute-force attack. Dictionary attacks simply hash each word in the dictionary using the algorithm that is used by the authentication process, and then compare each password hash with the hashed dictionary words. Heuristic attacks make assumptions about user behavior and attempt to guess some portion of the password. They understand, for example, that users' first choice for including capital letters is at the front of a word, and their first choice for including numbers is at the end. Brute-force attacks simply try each possible permutation of the existing letters and numbers.
Modern password crackers meant for Windows systems also start with an attempt to crack the LAN Manager password. This password can be a maximum of 14 characters in length, splits the password into two seven-character words and hashes them independently, and does not distinguish between uppercase and lowercase letters. This makes it very easy to use a brute-force attack against these passwords. Users can decrease the likelihood of their password being successfully attacked by creating passwords longer than 14 characters. This means that the LM-style cracking attacks will not work, because no LM password hash will be stored. Designers can assist by designing authentication practices that limit or remove the use of LM passwords and remove the LM password hash from the account database. For more information about these methodologies, see Lesson 2 earlier in this chapter.
About us