hardening passwords

[zigar]

another thread got me thinkin about this...so here's my two line tut...

- ansi extended chars make for great choices in hardening passwords...
- press alt and numpad #'s to get the extended characters...

@w5G(╕78╔4»sZ▐s

take that l0pht...hehe

Here's em all...

[{P²P}Apocalypse]

As well. I like to enforce a few policies on passwords. On our W2000 and XP machines. I force three policies on all the users.

1. Password complexity. (As you stated, Bravo)
2. Minimum password length. (I require 10 characters minimum)
3. Force password change. (I do it every 14 days)

I know this sounds tough. I learned the hard way. To many people with weak passwords and they had the same ones for sometimes years. Well the after hours cleaning crew came in as the others left. Over time they picked up on some passwords. So they would get online and download porn and all kinds of fun stuff at night. So now. By chance, even if they get one. It won't last long......Ha....

[zigar]

i follow the nsa pwd recommendations..

24 passwords remembered
maximum age 90 days
minimum 1 day
min length 12 char
complexity enabled...


you might wonder about the 90 days...reason is simple...if i give my users a complex password (i don't let them choose it...with complexity enabled...i think it hurts their little minds to figure out how to pick... ) i want them to remember it...asking them to remember a complex 12 char pwd that changes every 14 days...well it's likely less secure...they'd tend to write it down on the bottom of the keyboard or whatever...

i'd rather a strong pwd over a longer time that they can have time to memorize...than either a weak pwd or one that is susceptable to dumpsterdiving or other risks becasue the silly fools are writin pwds down all over the place...

[zigar]

when i posted this, i hadn't read this:

"One of the downfalls of L0phtcrack is that it can only crack 68 of the 256 possible characters in the ASCII character set. This enables the ability to create virtually "uncrackable" passwords."
from sans.org

which makes this technique even better than i thought...it's HIGHLY effective..in fact almost foolproof*...just don't forget your password

(*until someone finds away around it...hehe)

[Midridth]

Yay I think that's a big problem: people forgeting their passwords.
Then ofcourse you get all of those programs that "store your passwords for you".....oh real nice till someone gets hold of 'em. ;P

[Kezil]

one small problem with the ansi extended char list:

Says:
alt + 191 = ¿

In truth:
alt + 191 = +
alt + 0191 = ¿

I've tested this on a few other chars, same holds true. Also tried in different programs.
If this is just for me, then I wish even more that I did not have to use winME.

otherwise, perhaps you should add something to indicate that.

EDITS:
This only seems to affect most numbers at 127 and over

What I'm finding in notepad:
alt+8 = backspace
alt+9 = tab
alt+10 = enter
alt+13 = enter
alt+15 = ¤
alt+20 = ¶
alt+21 = §
alt+22 = paste
alt+26 = pastes and highlights last characters erased
alt+127 = Block(filled)
alt+128 = Ç
man, this could go on forever.

btw, I mostly suspect that It's just the programs I'm using or winME, so please, don't take this offensively

[zigar]

hmmm...yer right...i pulled the ansi list from m$ access help files...perhaps it's not so standard after all...i shall investigate further...

btw...for me alt+191 = ¦¤...not +...so go figure
alt+0191 does = ¢¯


however the main part of the post is still valid...extended chars make cracking tough...if not impossible...but...hmmm...i wonder if having different versions of ansi (if that's possible?) on a network could cause some major headaches...again...more research needed...

[Valentino]

I use a notebook to store my passwords
not a lap top notebook, the paper one
use a pencil too
change the passwords often
and never use the same pw twice

Valentino

[THEJRC]

I have noticed how hard it is to get people to use odd passwords, Ive found it easier to force them on users....(course at first it is an administrative burden) once you get in the habit of doing it every so often (every 90 days) it ends up being as normal as checking logs (you DO check your logs right??)

and of course the user gets used to it... give em passwords like ¥BhK$^ß

nuff said... he he

[zigar]

Here's that additional info I promised...

the difference is that the original attachment i included was the Windows ANSI charset...NOT the extended ascii...which is what i meant to post...duh...

the full set can be found here

http://charlie.balch.org/asp/ascii.asp

this has html equiv's too...