Ten Windows Password Myths I was surprised by a few of these myself

[nations 0]

Even today passwords play a central role in system security. Here are ten myths of passwords with using Windows:

Myth #1: My Password Hashes Are Safe When Using NTLMv2

Many readers will be familiar with the weaknesses in LanManager (LM) password hashes that made L0phtcrack so popular. NTLM made hashes somewhat stronger by using a longer hash and allowing both upper and lower-case letters. NTLMv2 made even more advances by computing a 128-bit key space and using separate keys for message integrity and confidentiality. It also uses the HMAC-MD5 algorithm for further message integrity. However, Windows 2000 still often sends LM or NTLM hashes over the network and NTLMv2 is also vulnerable to in-transit (also known as replay) attacks. And since LM and NTLM password hashes are still stored in the registry, you will still be vulnerable to attacks against the SAM.

Until we stop using LanManager, which probably won't be anytime soon, do not assume that your password hashes are safe. L0phtcrack is a popular

Myth #2: Passwords created by "Random Password Generators" are great passwords.

This is totally bogus, for one thing a hacker can figure out what algorithm the generator uses and reverse your password in a matter of minutes. Random passwords are usually extremely hard to remember and they take a long time to type most of the time. This increase the chance of someone figuring out your password just by watching you. Make sure that if your creating a password, it alternates between the left and right hand side of the keyboard, contains at LEAST one number and has both upper and lower-case letters involved.
Here is a list of almost eight thousand words, all which use both sides of the keyboard.
https://xato.net/?gi=fd5430c8d485

It is best to create a password that involves something easy for you to remember. This can be anything from vulgar language, part of an address, a favorite song or rhyme, maybe a name of a person. Make sure to combine letters and numbers though. Maybe substitute letters for numbers such as IH4t3Y0uSoVeRYmUCHD!eandR()T

Myth #3: 14 characters is an optimal password length.

With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.
NTLM improved the situation some by using all 14 characters to store the password hash. While this did make things better, NT dialog boxes still limited passwords to a maximum of 14 characters; thus the determination that passwords of exactly 14 characters are the optimal length for the best security.

With newer versions of Windows such as 2000 and XP your password can now be up to 127 characters long. This can also get around LM problem as Windows doesn't even correctly create and store a hash of your password if its over 14 characters. This makes brute-force attacks a lot harder.

Myth #4: Passwords such as "J0hn99" are great passwords.

Most password cracking programs can try hundreds of word variations per second. Adding numbers to the end also only takes a few seconds to do. The longer your password the better. Although using "L33t Sp34K" is probably one of the best ways to create a password. This would include things such as using a combination of symbols, letters and numbers to form a word (or in some cases, even just a single letter).

Myth #5: Any password can eventually be cracked.

This is one of the biggest ones in my opinion. Hackers will leave you alone (unless the Government has hired them to do the dirty work) if they can't get your password guessed in a few minutes. The process of cracking passwords is not only time consuming but it also takes lots of processing power that could be used for other things. As a rule of thumb, the longer your password is the more likely the hacker will give up and move on.

Myth #6: Passwords should be changed every 30 days.

If you have something of high-risk this maybe a good policy but, for the average joe its not something that should be suggested. Constantly changing a password often causes a typical user to develop extremely predictive patterns and other things that lower the effectiveness of a password. If a user knows they don't have to change their password they can focus on making a password more complex and thus harder to crack. If required to change passwords every-so-often its a more realistic to have the time frame be 90+ days.

Myth #7: You Should Never Write Down Your Password

It is actually a good thing to have your password written down. It IS however, not a good policy to sticky note them to your monitor or around your desk. If you write down a password it can help you create more complex passwords and its easy to recover them if they are forgotten. If you write down a password make sure you do NOT throw it away! A lot a big companies have had security compromises because the passwords that were written down get thrown in the dumpster.

Myth #8: Passwords Cannot Include Spaces

Its a fact that if a character is visible in Windows, it CAN be used in your password. This obviously includes spaces. It is NOT however, recommended to use spaces at the beginning or end of the password. Also make sure spaces are not over used as a person listening in on your typing can hear the unique "click" the space bar makes everytime its pressed. Please note that a space isn't counted in complexity requirements by Windows.

Myth #9: Always use passfilt.dll

Simply put, using passfilt.dll FORCES users to be within 2000 and XP password guidelines. This can quickly and easily create frustration, which may result in the use of a bad (or weak) password just to get around the Windows password requirements.

Myth #10: Use ALT+255 for the Strongest Possible Password[/quote]Using "ALT" and a three digit combo create ASCII characters. This may sound very secure as you have to know the exact three digit combo to crack the password but, you can easily watch someone type those numbers in. Here is some math to prove this point:[quote]For example, a five-character password made up of high-ASCII characters will require 25 keystrokes to complete. With 255 possible codes for each character and five characters, the total possible combinations are 255^5 (or 1,078,203,909,375 - Just over 1 Trillion possible combos). However, a 25-character password made up of only lower-case letters has 26^25 (236,773,830,007,968,000,000,000,000,000,000,000 or a crazy amount of over 236 Decillion (I had to look that one up!)) possible combinations. Clearly, you are better off just making longer passwords.

One trick you can use too is ALT+0160, this creates a "Non-Breaking" space. This fools a hacker if they see this type of "space" as they will think your password contains a space when it really does not.

SOURCE:
https://www.symantec.com/connect/articles/ten-windows-password-myths
Edited August 1, 2006 by BuffaloHELP (see edit history)

[cangor 0]

those are all indeed correct, I am impressed with this article... though perhaps you shouldn't have pasted the entire thing in... :)Any password, really, though, is hackable... Yes, it does take a lot of processing power, but a hacker who is truely determined will leave it running for days or however long it needs... Some might just take months to crack... And you definately want a password over 14 characters... that's not an optimal length... Or, even better, make it REALLY long, but still meaningful enough to remember... really though, if you're that worried about someone hacking into your computer, just keep the actual computer safe...anyways, nice stuff. i liked the explanation of why ALT+NUMS is not always best. A most decent article...But then again, most people don't even know what this stuff means...

[Dooga 0]

I don't even know how to use alt+number on macs...

[Lyon2 0]

Nice article, very specific and usefull, though i already knew most of it, i am a litle paranoid with the use of usernames and passwords when i configure lan's (LAN = Local Area Network).And we can turn things even more confusing, but, i just want to say something about how to use passwords: - First choose a password with 8 characters minimum - The password must be confusing even to yourself - The password must not contain information related to yourself in any way - The password must not contain names, just characters and numbers like: aA12Ht&%#)/H125 - The password must contain special characters, like: &%$#"!|??=)(/ - The password must contain uppercase and lowercase letters like: AaBcGtTjd - You must not write down the password in paper or whatever - You must not use the same passwords for everything - You must not save the passwords in programs on your pc, but if you do, encrypt them with secure algorithms - You must train to remember the passwords if you don't use a program to save your passwords with encryption - If you have lots of passwords, write them on a paper and guard the paper "with your life"!

Edited August 1, 2006 by Lyon2 (see edit history)

[Plenoptic 0]

That is really helpful for when trying to develop a new password. I do indeed use my own Random Password Generator but I change the number of characters each time. Ya I really don't think changing my password every 30 days will help because that is a lot of passwords to change and I probbly wouldn't remember all of them and then I'm stuck with totally different passwords for different things.

You must not use the same passwords for everything

I sort of do that but I change it up a bit and I still have some trouble remembering them. Although for things of higher importance I use high quality passwords. My email though I don't really use the same for each unless it's the one I sign up for everything with.

[Moolkye 0]

I do find it difficult at times to remember 1000 passwords. Yes having multiple passwords is safe, but tryign to remember them is hard. So what do you do to safeguard against password hacking? Open up notepad, close your eyes, and click some keys. Add some Capitals and and numbers in there and you got yourself a hard to crack password. and you can use the same one for a lot. As long as it is a STRONG password!

[londres 0]

Nice article, very specific and usefull, though i already knew most of it, i am a litle paranoid with the use of usernames and passwords when i configure lan's (LAN = Local Area Network).
And we can turn things even more confusing, but, i just want to say something about how to use passwords:

- First choose a password with 8 characters minimum
- The password must be confusing even to yourself
- The password must not contain information related to yourself in any way
- The password must not contain names, just characters and numbers like: aA12Ht&%#)/H125
- The password must contain special characters, like: &%$#"!|ť?=)(/
- The password must contain uppercase and lowercase letters like: AaBcGtTjd
- You must not write down the password in paper or whatever
- You must not use the same passwords for everything
- You must not save the passwords in programs on your pc, but if you do, encrypt them with secure algorithms
- You must train to remember the passwords if you don't use a program to save your passwords with encryption
- If you have lots of passwords, write them on a paper and guard the paper "with your life"!

Another trick that's been stressed to me by a few network administrators is to make your passwords sentences or phrases including upper and lowercase letters. This gives your passwords a little more logic (easier to remember) and if you're really good, you can work numbers or characters in there.

e.g.
1oclockTWOoclock3oclockROCK
or
tryNOT2stare@me

[darran 0]

A nice article adding somethings new like the non-breaking space, I never knew there was such a thing like it. I am not really into such a tight security whereby I change my password every 14 days, for me I am into forums so I always leave my password at that. And for my wireless password, this is where I put a little more detail, 26 characters. It is really frightening to see hackers hack into your system but of course unless they have an everlasting hatred for you, I am sure they have no reasons to hack into your system unless they are complete idiots who wants to spoil another person's life. However hacking may actually be a good thing. I have seen so many cases of hackers being employed from prison and brought out to the society. They hack big companies in a bid to find any vulnerabilities within the system so that they can fix it and make it even more secure. This is something which I appreciate about hackers, they find the security vulnerability so that you know it and you will have another layer of protection. A pity that till today, there are so many hackers who are making other life's miserable.