Using Password Phrases For Better Security
Did you know that Windows supports using passwords of up to 127 characters? I don't use passwords anymore, and I haven't for years. I've switched to using password phrases instead.
Why do I use password phrases?
- Why would you want to remember a password like 2%d7as$d when you could just remember a sentence like "nsync sucks giant monkey balls" or "I hate my ex-wife!" or "Holy hell does this job suck!"
- You can use uppercase, lowercase, special characters, or even spaces… but you are using them in context, which makes it much more natural to remember.
- Post-it notes on your monitor are not secure. Sorry.
- Even the most efficient forms of password cracking, using pre-computed rainbow tables, will never be able to crack a password with 20 or more characters.
These days, windows passwords can be cracked in no more than a few seconds. If somebody can get physical access to your machine, they can boot off one of the hacker tool cds available all over the internet, and they will typically have your password in seconds, if they know what they are doing.
Even with brute force cracking, there is no possible way that you can crack a password that long. Even if somebody had the super computing power to do so, hopefully you change your password every few months or so.
It may be difficult to use password phrases on other operating systems, or especially on websites, because they don't properly handle spaces in the password, or have a small password length limit. One of the tricks that I usually do is use a password phrase without the spaces, if I possibly can.
So go change your password now.
Note: For more information on this topic, you can check out Robert Hensing's blog over at Technet.
If I actually had physical access to the machine, I could have any password in seconds, no matter what it is. Actually, more precisely I could reset the password in seconds. This is because NT keeps passwords in a special encrypted file on disk. People who know what they're doing (and who have a *nix based live cd) can access this file fairly easily and edit it directly. Then, you boot to the OS and login to the aforementioned account using the new password.
Moral of the story? The most secure password in the world will not save you from someone who has physical access to the computer (unless you've actually protected the BIOS or use biometric authentication, in which case it gets a little more complex).
How right you are, Daniel. I'm just trying to advocate better passwords =)
Actually full disk encryption will prevent this mode of attack as you need the pre-boot password in order to access the file on the HD. Even yanking the drive and installing it on another computer will not allow access.
However, you'd better have a safe and secure way to save/recover the pre-boot password or you will lose all your data for good.
Please, show us how you will edit the windows encrypted password file when booting into edu-nix.
IIRC, in WinXP, you could 'safe boot' into a hidden ADMINISTRATOR account. from there you could delete other peoples passwords, and make new ones, too.
is this vulnerability still in WinVista?