Archived from groups: microsoft.public.win2000.security (
More info?)
"Laura E. Hunter \(MVP\)" <hunter(nospamplease)@sfs.upenn.edu> wrote in message news:<eWUhZwPZEHA.1248@TK2MSFTNGP11.phx.gbl>...
> Mark Minasi had an interesting take on this at the Security Roadshow this
> spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
> detail or three - I think the full slide deck is up on www.minasi.com.)
>
> A 15+ character passphrase has some good things going for it. Even if an
> attacker's machine could attempt thousands of passwords every minute, it
> would take something like 600 NONILLION years to cycle through all possible
> 15-letter passphrase combinations, even if the letters are all in
> lower-case. Which gives you a legitimate possibility of eliminating account
> lockout policies that 90% of the time serve no other purpose than to annoy
> your users.
>
> It's also easier for your users to remember a long PHRASE than somehow
> expecting them to come up with an 11-letter WORD and intersperse it with % ^
> @ $ ! characters or whatever. Compare the following:
>
> Password: Ant!d!se$s+abli$hm3n+ar!an!$m.
>
> Passphrase: igreatlyenjoyrivetswithmymorningpancakes
>
> Which one is better? A user is going to have to THINK about typing in the
> former. Probably every single time they have do it. Which will lead to
> mis-typing and account lockouts and other annoyances. Whereas the latter is
> really easy to remember, since it's -English.-
>
> The drawback to a passphrase is that some down-level systems won't support
> them - they're stuck in the LM-Hash compatibility world and can't handle
> anything longer than 14 characters. So it's something that you need to test
> before you mandate it across the board.
>
> --
> ******************************
> Laura E. Hunter - MCSE, MCT, MVP
> Replies to newsgroup only
>
>
> "Susan" <anonymous@discussions.microsoft.com> wrote in message
> news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
> > Option 1: passphase -> 15 or more character phrase
> > Option 2: password -> 12 to 14 characters (upper & lower
> > case, numbers and symbols)
> >
> > Which is more secure? Which is hard to hack?
Oh give it up, spend a couple hundred bucks for a smart card system
and forget about it. LOTS OF LAUGHTER>