SecurityFocus has a great article on Windows password security. Among other things, it addresses the real implications of the weaknesses of LanMan and NTLMv2, and a way you can use that to your advantage:

if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password.

And I remember creating my fist Alt+255 password years ago. It was a pain to enter, and the author makes a good point:

It common to see recommendations to use high-ASCII characters as the ultimate password tip. High-ASCII characters are those that cannot normally be typed on a keyboard but are entered by holding down the ALT key and typing the character’s ASCII value on the numeric keypad. For example, the sequence ALT-0255 creates the character <ÿ>…. creating such a character requires five keystrokes that must be memorized and later typed every time the password is entered. Perhaps a more effective technique would be to make your password five characters longer, which would actually make your password much stronger for the same number of keystrokes.

Might it be time to take a glance at your policy to see if your standards still make sense?
Ten Windows Password Myths [SecurityFocus]

Post a Comment...