1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Increase your password security

Discussion in 'Computer Security' started by jk2447, Jul 15, 2009.

  1. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    Hi All,

    Just learned something interesting I'd like to share. If your Windows password is 14 characters or less, Windows stores it as two 7-character hashes, which makes them easy to crack :eek:

    Using a password which is 15 characters or more forces Windows to store it in the more secured NTLM hash format, which is a LOT harder to crack :twisted:

    That is all 8)

    Jim
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  2. UKDarkstar
    Honorary Member

    UKDarkstar Terabyte Poster

    3,477
    121
    184
    Nice tip from our budding security expert ! :biggrin

    Rep given
     
    Certifications: BA (Hons), MBCS, CITP, MInstLM, ITIL v3 Fdn, PTLLS, CELTA
    WIP: CMALT (about to submit), DTLLS (on hold until 2012)
  3. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    Aw shucks :lol: thanks mate
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  4. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    my password is only 8 characters long but contains numbers aswell as letters. Do you suggest I change it then?
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  5. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    Its good that you are mixing it up with caps, numbers and symbols. That is enough for most people but if you want to make Windows give you the max security I'd change it. In today's world the amount of nefarious users is growing exponentially. I find its easier if you think of a song or a place so ImagineBeatles1 etc. Thats almost never getting cracked by anyone :biggrin

    **Edit: I also think that as IT professionals we should set the example by having more security awareness than your average user
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  6. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    What happens if the word you have used is a made up word you used to say as kid which sounds like a proper word but is spelled how you would say it when you were a kid? :D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  7. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    Yeah thats going to be hard to crack so I'm sure you are fine to keep it as it is. I more wanted to highlight how differently Windows handles 14 or less characters and 15 or more.
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  8. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    I do have 15 character one for hotmail which includes numbers and letters but not fo login just the word I used to say as kid.
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  9. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    Thats wise mate, any web based email accounts should be 15 for sure. Glad to see your covered, A+ :D
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  10. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    I guess I should stop using "password" as my password, then eh? :p

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  11. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    :lol: yeah thats just silly, you should just leave it blank like all mine . . . .:p
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  12. greenbrucelee
    Highly Decorated Member Award

    greenbrucelee Zettabyte Poster

    14,283
    254
    329
    I know lots of people who do that :D
     
    Certifications: A+, N+, MCDST, Security+, 70-270
    WIP: 70-620 or 70-680?
  13. jk2447

    jk2447 Petabyte Poster Moderator

    5,482
    353
    249
    Seriously???! Hope they don't do online banking or they might find they have bought a plasma TV in Bejing! ha ha
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  14. Fergal1982

    Fergal1982 Petabyte Poster

    4,196
    171
    211
    bugger that. I have enough issues changing my password every 45 days, to a 9 character password, not used in the past 12 passwords, to worry about trying to come up with a password greater than 14 characters as well.
     
    Certifications: ITIL Foundation; MCTS: Visual Studio Team Foundation Server 2010, Administration
    WIP: None at present
  15. dazza786

    dazza786 Megabyte Poster

    758
    30
    67
    Hmm, GBL will have to brush up on his social engineering defence now though..:p
    I would suggest changing it with a few CapiTals and include some numb3rs\symbols in there if you can
     
    Certifications: MCP (271, 272, 270, 290, 291, 621, 681, 685), MCDST, MCTS, MCITP, MCSA, Security+, CCA(XA6.5)
  16. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    ...except most online places don't accept passwords that long... and some will truncate them without you knowing it. Older Windows OSes simply disregard the trailing characters in passwords that long.

    Plus, using passwords that long are more likely to include dictionary words in order to help you remember them, which makes them far, FAR easier to crack than a more complex string of 8 characters. Thus, in my opinion, 15-character passwords are often LESS secure than shorter, more complex passwords.

    EDIT: For those who think it's enough to add in capitals and "leetspeak" characters, you need to do a little research on how easy it is to add those combinations into dictionary attacks.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  17. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    What you mean my password, which is password, is not secure!

    Damn you, I shall think of another one, maybe Password
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  18. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    Been there, done that, check Page 1 :p

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  19. delorean

    delorean Megabyte Poster

    959
    15
    64
    I make it a personal goal to learn at least 1 new fact/thing/misc every single day. Today this was it. Thanks!

    Repped!
     
    Certifications: A+, MCP 70-270, 70-290, 70-291
    WIP: 70-680, S+, MCSA, MCSE, CCNA
  20. dazza786

    dazza786 Megabyte Poster

    758
    30
    67
    You fail to mention its advantages with regards to brute force attacks... it'd take longer to attempt
    reservoir, r3servoir, r3s3rvo... etcetc
    so it's still increased its security in comparison to a plaintext lowercase string.
     
    Certifications: MCP (271, 272, 270, 290, 291, 621, 681, 685), MCDST, MCTS, MCITP, MCSA, Security+, CCA(XA6.5)

Share This Page

Loading...