SecurityFocus has a great article on Windows password security. Among other things, it addresses the real implications of the weaknesses of LanMan and NTLMv2, and a way you can use that to your advantage:

if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

And I remember creating my fist Alt+255 password years ago. It was a pain to enter, and the author makes a good point:

It common to see recommendations to use high-ASCII characters as the ultimate password tip. High-ASCII characters are those that cannot normally be typed on a keyboard but are entered by holding down the ALT key and typing the character’s ASCII value on the numeric keypad. For example, the sequence ALT-0255 creates the character <ÿ>…. creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.

Might it be time to take a glance at your policy to see if your standards still make sense?
Ten Windows Password Myths [SecurityFocus]

Counter to what the movies might say, hacking grades is not just cheating it’s a crime:

An investigation showed the professor’s network account had been accessed without her permission and grades were assigned to nearly 300 students, prosecutor Robert Fratianne said.

I bet they just guessed her password but still, there’s more legal ways to cheat.

Students face 1 year in jail for hacking [Yahoo News / AP]

Thankfully the former head of al-Qaida in Iraq hadn’t discovered laptop or flash drive encryption:

Al-Rubaie said a laptop, flashdrive and other documents were found in the debris after the airstrike that killed the al-Qaida in Iraq leader last week outside Baqouba, and more information has been uncovered in raids of other insurgent hideouts since then.

He called it a “huge treasure … a huge amount of information.”

When asked how he could be sure the information was authentic, al-Rubaie said “there is nothing more authentic than finding a thumbdrive in his pocket.”

Well actually I have every confidence that the NSA could have read it anyway, or at least cracked his password (I’d start with 1nf1d3lsMustD13).

But let this be a reminder that you should always encrypt your organization should always encrypt its plans for world domination strategic information.

Iraq Announces Info From Al-Zarqawi Raid [AP / myway news]

Professor Spafford expounds on his previous article we talked about to say that we should examine all best practices to see which ones make since for a given application. My favorite example of this:

One example, told to me by a Federal law enforcement agent, is when he showed his badge and papers while passing though security. They didn’t make him take out his weapon when going through the metal detector…but then they insisted that he run his shoes through the X-ray machine!

The lesson here: don’t check your brain at the door when applying best practices. When security profeesionals walk around saying that all security requirements need to be met without doing even a back-of-the-napkin risk assessment, we all look bad.

Spaf: Passwords and Myth [Purdue’s CERIAS Blogs]

ComputerWorld has a scary article about the strategies being utilized by some of the more advanced trojans to bypass SSL and even the most advanced authentication. Among the strategies they are using:

• Stealing passwords via keystroke loggers, plus taking screen shots of secondary authentication mechanisms like on-screen keyboards.
• Creating a man-in-the middle site on the users own computer and using that to harvest credentials, while still proxying them on to the real site.
• And, my favorite, using the existing authenticated channel to the bank:

The Trojan then manipulates the underlying transaction, so that what the user thinks is happening is different from what’s actually transpiring on the site’s servers…When the user successfully authenticates, the Trojan opens a hidden browser window, reads the user’s account balance, and creates another hidden window that initiates a secret transfer.

I may be transferring all my money to First National Bank of the Mattress soon.

How SSL-evading Trojans Work

Our favorite quotable Computer Science prof, Eugene Spafford, has come out with a controversial article about the (un)importance of regular password changes.

He analyzes the threats and finds the mitigation is minimal. Even better he examines the sources of this “best practice”…

So where did the “change passwords once a month” dictum come from? … As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months. So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years.

This is one I have to agree with Spaf on. Since regular changes make a password harder to remember, it actually decreases security by:

• Discouraging long, complex passwords.
• Encouraging people to write their passwords down.

I would rather have 1 more character required in a password than require it to be regularly changed.

Spaf: Security Myths and Passwords