- It's the applications, stupid
- Will a whitelist save personal computing?
- Thousands of Web sites under attack
- To solve the unsolvable problem
- Re-thinking the security of virtual machines
- Security Development Lifecycle trumps code complexity
- Is your Web site FIPS compliant?
- Computer security: Why have least privilege?
- Strategic security: Get a handle on authentication
- Control user installs of software
July 27, 2006 | Comments: (0)
Jesper Johansson responds to my Password Size column
Dr. Jesper Johansson of Microsoft agrees with my password length argument, with caveats.
Dr. Johansson is one of Microsoft's chief security architects. During my recent column http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html (and multiple public mailing list emails) on password length, I mentioned his previous papers http://www.microsoft.com/technet/community/columns/secmgmt/sm1004.mspx. I have read his three papers on passphrases vs. passwords many times. I had concluded that Dr. J (as many of us call him) strongly supported shorter complex passwords over non-complex passphrases.
Here's Dr. Johansson's reply:
"I think you misquoted me a bit. I've said a lot that there is nothing more important than adding length. Check the password guidance page attached to the MS password checker. I think I was pretty clear about it there. Pass phrases can be very strong, if you have a big enough vocabulary and use enough words, but I think you have to be very conservative in any recommendation and assume the bad guys will use pass phrase attack tools should pass phrases become common enough. Overall, I think we really are in pretty violent agreement."
He shared with me a few things he and Microsoft are working on regarding password strength that will end up in future products. I can only say that his work is one of the few looking at the problem in depth, mathematically and in practice, and the outcome will lead to much stronger default passwords that are appropriate for the businesses being protected.
Also, if you haven't done so, yet, take a look at his article on Windows password hashes, authentication, and SMB in the latest issue of Microsoft's TechNet magazine. It's the most comprehensive and best researched article I've ever read.
Anything Dr. J writes should be a must read for Windows administrators.
Posted by Roger Grimes on July 27, 2006 06:37 AM
RATE THIS ARTICLE:
-
- COMMENTS
