Sign in with
Sign up | Sign in
Your question

password vs passphrase

Last response: in Windows 2000/NT
Share
July 8, 2004 11:35:21 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Option 1: passphase -> 15 or more character phrase
Option 2: password -> 12 to 14 characters (upper & lower
case, numbers and symbols)

Which is more secure? Which is hard to hack?

More about : password passphrase

Anonymous
a b 8 Security
July 8, 2004 2:58:57 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Mark Minasi had an interesting take on this at the Security Roadshow this
spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
detail or three - I think the full slide deck is up on www.minasi.com.)

A 15+ character passphrase has some good things going for it. Even if an
attacker's machine could attempt thousands of passwords every minute, it
would take something like 600 NONILLION years to cycle through all possible
15-letter passphrase combinations, even if the letters are all in
lower-case. Which gives you a legitimate possibility of eliminating account
lockout policies that 90% of the time serve no other purpose than to annoy
your users. :-)

It's also easier for your users to remember a long PHRASE than somehow
expecting them to come up with an 11-letter WORD and intersperse it with % ^
@ $ ! characters or whatever. Compare the following:

Password: Ant!d!se$s+abli$hm3n+ar!an!$m.

Passphrase: igreatlyenjoyrivetswithmymorningpancakes

Which one is better? A user is going to have to THINK about typing in the
former. Probably every single time they have do it. Which will lead to
mis-typing and account lockouts and other annoyances. Whereas the latter is
really easy to remember, since it's -English.-

The drawback to a passphrase is that some down-level systems won't support
them - they're stuck in the LM-Hash compatibility world and can't handle
anything longer than 14 characters. So it's something that you need to test
before you mandate it across the board.

--
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only


"Susan" <anonymous@discussions.microsoft.com> wrote in message
news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
> Option 1: passphase -> 15 or more character phrase
> Option 2: password -> 12 to 14 characters (upper & lower
> case, numbers and symbols)
>
> Which is more secure? Which is hard to hack?
Anonymous
a b 8 Security
July 8, 2004 3:41:12 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Anything larger than 15 characters SHOULD be harder to hack. However if someone
used a bad password/phrase with all dictionary words, they may successfully
reduce the security of their password/phrase.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Susan wrote:
> Option 1: passphase -> 15 or more character phrase
> Option 2: password -> 12 to 14 characters (upper & lower
> case, numbers and symbols)
>
> Which is more secure? Which is hard to hack?
Related resources
Anonymous
a b 8 Security
July 8, 2004 4:57:25 PM

Archived from groups: microsoft.public.win2000.security (More info?)

"Laura E. Hunter \(MVP\)" <hunter(nospamplease)@sfs.upenn.edu> wrote in message news:<eWUhZwPZEHA.1248@TK2MSFTNGP11.phx.gbl>...
> Mark Minasi had an interesting take on this at the Security Roadshow this
> spring. I'll do my best to paraphrase: (Forgive me if I miss a niggling
> detail or three - I think the full slide deck is up on www.minasi.com.)
>
> A 15+ character passphrase has some good things going for it. Even if an
> attacker's machine could attempt thousands of passwords every minute, it
> would take something like 600 NONILLION years to cycle through all possible
> 15-letter passphrase combinations, even if the letters are all in
> lower-case. Which gives you a legitimate possibility of eliminating account
> lockout policies that 90% of the time serve no other purpose than to annoy
> your users. :-)
>
> It's also easier for your users to remember a long PHRASE than somehow
> expecting them to come up with an 11-letter WORD and intersperse it with % ^
> @ $ ! characters or whatever. Compare the following:
>
> Password: Ant!d!se$s+abli$hm3n+ar!an!$m.
>
> Passphrase: igreatlyenjoyrivetswithmymorningpancakes
>
> Which one is better? A user is going to have to THINK about typing in the
> former. Probably every single time they have do it. Which will lead to
> mis-typing and account lockouts and other annoyances. Whereas the latter is
> really easy to remember, since it's -English.-
>
> The drawback to a passphrase is that some down-level systems won't support
> them - they're stuck in the LM-Hash compatibility world and can't handle
> anything longer than 14 characters. So it's something that you need to test
> before you mandate it across the board.
>
> --
> ******************************
> Laura E. Hunter - MCSE, MCT, MVP
> Replies to newsgroup only
>
>
> "Susan" <anonymous@discussions.microsoft.com> wrote in message
> news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
> > Option 1: passphase -> 15 or more character phrase
> > Option 2: password -> 12 to 14 characters (upper & lower
> > case, numbers and symbols)
> >
> > Which is more secure? Which is hard to hack?

Oh give it up, spend a couple hundred bucks for a smart card system
and forget about it. LOTS OF LAUGHTER>:) 
Anonymous
a b 8 Security
July 8, 2004 8:05:30 PM

Archived from groups: microsoft.public.win2000.security (More info?)

While it is good to use complex passwords and either of those could be considered
secure, particularly if storing of lm hashes can be disabled keep in mind that many
attacks involve "resetting" the built in admin password to a computer that requires
physical access to it which can be done in less than five minutes if the user has
needed access. So use password complexity and a account lockout policy with a
threshold of no less than ten attempts [to deter brute force attacks AND notify you
of] along with good physical security of sensitive computers. --- Steve


"Susan" <anonymous@discussions.microsoft.com> wrote in message
news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
> Option 1: passphase -> 15 or more character phrase
> Option 2: password -> 12 to 14 characters (upper & lower
> case, numbers and symbols)
>
> Which is more secure? Which is hard to hack?
Anonymous
a b 8 Security
July 8, 2004 8:56:55 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

it still depends on what password is and what pass phrase is...

e.g. my password could be "P@assw0rd1234", would you consider this secure
password? It has upper and lower chars and it has numbers in it...

again you could have "pass phrase" "aaa bbb ccc ddd eee etc"

The other down side is, they are stored as LM Hash (by default for any
password shorter then 14 characters) and as such vulnerable to cracking
using tools such as @Stake, etc....

Personally, I use pass phrases... There are harder attacked by dictionaries
and they are not stored as LM Hash (longer then 15 characters)

Mike

"Susan" <anonymous@discussions.microsoft.com> wrote in message
news:287be01c464f8$cc3021f0$a601280a@phx.gbl...
> Option 1: passphase -> 15 or more character phrase
> Option 2: password -> 12 to 14 characters (upper & lower
> case, numbers and symbols)
>
> Which is more secure? Which is hard to hack?
!