Robert Hensing writes a very interesting and controversial article where he recommends not to use any kind of passwords on a Windows network?
Why you ask? Well because passwords are very easily cracked and worms such as Agobot / Phatbot / Polybot / SDBot / RBot / etc. ship with boat-loads of dictionaries of passwords. Not to mention that either automated or human attackers don’t even need to guess the password as there are many hacking tools that will let a miscreant sniff your network traffic to get the authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password. You can try and protect the network with segmentation, encryption (IPSec etc.) and even 802.1x , etc. but really they just workaround with the inherent vulnerability in your network which is – the password.
So what is the solution? Instead of using passwords, you should try and use pass-PHRASES. What is a pass-phrase? To quote Robert: “Let’s take a look at some of my recent pass-phrases that I’ve used inside Microsoft for my ‘password’ :
- “If we weren’t all crazy we would go insane“ (Jimmy Buffet rules)
- “Send the pain below!“ (I like Chevell too)
- “Mean people suck!“ (it’s true)”
Pass phrases are great because: they meet all password complexity requirements, they are so easy to remember and lastly with the most advanced hardware you are not going to guess / crack / brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).
So, is that the real solution? What of two-factor authentication – say using a Safe-word token / smart-card in addition top your password (always), is that good enough? What do you think? Also, read up on the original article many interesting comments there.
Other similar posts to check out:
- March 9, 2010 -- Ubuntu on a HTC Touch Pro 2 (0)
Well this is the phone I have maybe some day I will try this - pretty geeky albeit useless. :)
... - January 15, 2010 -- Geek moment of the day (0)
(: ¿ɥǝ sıɥʇ sı looɔ ʍoɥ... - December 19, 2009 -- Allowing remote desktop with blank passwords on Win7 (0)
I finally got the time to upgrade my MCE with the RTM bits of Win7 (was running an old RC build until now). Given this is a dedicated MCE with nothing else on it and an on an isolated part of the network, I don't have a password set for the Account I use to login (of course not a recommended practice). Now, I wanted to RDP to the machine and I realised then that Win 7 does not allow RDP with blank passwords by default (Vista behaves in the same fashion). The workaround is a simple fix - to updat... - December 6, 2009 -- BizTalk Flat File schema optional attribute issue (0)
I encountered this interesting issue and thanks to Colin we were able to resolve it. There will be situations you will encounter when adding additional optional attributes to a Flat File (FF) schema in BizTalk will cause problems. To get around this you basically will need to set the following properties to relax the parsing of the attributes which break. parser_optimization="complexity" allow_early_termination="true" early_terminate_optional_fields="true&qu... - October 25, 2009 -- Installing OpenSceneGraph on Ubuntu (0)
If you use the Synaptic Package Manager in Ubuntu 9.04 to install OpenSceneGraph, by default it will install version 2.4.x. However if you want to install OpenSceneGraph 2.8.1 then you need to do the following in a terminal:Modify the file /etc/apt/sources.list (make sure you run it via sudo something like: sudo gedit /etc/apt/sources.list)Add the following two lines in the end and save the file:deb http://openscenegraph.dachary.org/packaging-farm/openscenegraph/gnulinux/debian/unstable/src ./de...
Tags: .geek
