digg

Facebook Connect Join Digg About

Ten Windows Password Myths

securityfocus.com This site has some common misconceptions about password strenth, and why they aren't as secure as you think they are.

Who dugg this? Made popular Aug 1, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

Warning: The Content in this Article May be Inaccurate

Readers have reported that this story contains information that may not be accurate.

78 Comments

show profanity settings
expand all
  • laplie, on 10/12/2007, -1/+41My password is 12345. It's easy to remember, and it matches the combination on my suitcase
  • Toon, on 10/12/2007, -1/+40I realized it was pretty old when I read the line, "Don't base your passwords on your favorite Color Me Badd lyrics."

    I also take that with a grain of salt, though, since nobody knows just how many 'o's are in my password "ooooooooooohIWannaSexYouUp".
  • Toon, on 10/12/2007, -2/+33Guys, that last post was mine. I've since had to make a new account. Somebody broke into mine.
  • UncommonSense, on 10/12/2007, -2/+22Myth #2. Dj#wP3M$c is a Great Password

    Crap. And I thought no one knew.
  • inactive, on 10/12/2007, -0/+18Using ophcrack, I can get non-LM Windows passwords in about five minutes.
  • technique, on 10/12/2007, -1/+18...until you lose your usb key
  • pcgeek101, on 10/12/2007, -6/+22Ok, what about this has to do with Windows other than the LM hash (which, mind you, can be disabled via Local and/or Group Policy). On modern systems without anything older than Windows 2000, the LM hash can safely be disabled. So beyond that, why the attack on Windows?
  • i440, on 10/12/2007, -9/+24Misconception #11: Your entered your password into a secure system.
  • fatdog789, on 10/12/2007, -6/+17Misconception #12: Believing Misconception #11.
  • Shazam999, on 10/12/2007, -2/+13At one place I worked at, the most popular passwords were:

    jan2005
    feb2005
    mar2005
    apr2005
    may2005

    etc...

    because of the 30 day policy. Man, I had so much fun using other people's accounts :)
  • pcgeek101, on 10/12/2007, -7/+16By the way, I marked this as inaccurate because of its age. 4 years is pushing it
  • Araxen, on 10/12/2007, -0/+9I've always thought the 30 days and your password expires rule is stupid. It just forces users to create very simple passwords so they don't forget them as they have to change them every 30 days.

    I have to keep track of some 15+ passwords at the place I work at for myself and if they made me change them every 30 days it would be ridiculous.
  • daedalus01, on 10/12/2007, -2/+11I think it was in Spaceballs before Scrubs...

    President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!

    Dark Helmet: Yes, sir!

    President Skroob: And change the combination on my luggage!
  • sinfree, on 10/12/2007, -1/+8I administer an official shame-on-you to everyone who went and tried to login to laplie's account using 12345 as the password.
  • terrenceshaw, on 10/12/2007, -1/+7Some nice points, I hate to admit that I use the same password plus a number since it changes every 30 days.
  • FluffyArmada, on 10/12/2007, -1/+7Sharing is caring!
  • cricketsymphony, on 10/12/2007, -5/+10I half expected the link to go to be some photo mosaic of millions of naked women.

    speaking of which...
    http://hublog.hubmed.org/images/gashcroft.jpg
    (source: http://hublog.hubmed.org/archives/000778.html)
  • sanjay, on 10/12/2007, -1/+6I totally agree!
    at my workplace they have a rule of changing the windows password every 14 days!
    which is a big pain in the ass mainly coz of the password rules vis-a-vis:
    1>no fragment of last password
    2>not same as last 5 passwords
    3>contains atleast 1 special char, 1 numeric, 1 small and 1 caps alphas and has minimum of 8 letters!~

    and it gets really buggy when after just 9 days of my changing the passwd it reminds me that my password will expire in 5 days! what crap?!
    i have been using passwords like g00Gle@329....just cycling between my fav'te companies and writing them in different g4m4r style to confirm them to the security...
    but just 1 week of break and bam! i forget which was the company i had last kept....
    was it apple or google or ATI?
    and guess what, after 3 wrong tries your account gets locked!

    yup, lemme repeat myself
    "PAIN IN THE ASS"!!!!!
  • kb9vgr, on 10/12/2007, -3/+7space balls yes
  • plueken, on 10/12/2007, -1/+5Personally, my favorite password is for my business's account system. In the beginning, I had a simple password that I will call "charlie" here, since I didn't care to be particularly careful or secretive. Later I decided to change it to "charlie1", so I could feel slightly more complex. Then I discovered that the system doesn't care about the numerals at the end of the password.

    When I had to change the password due to security reasons, I changed it to "charlie2". The password officially changed and the system stopped bugging me, but I could continue to log on with charlie1, so I didn't even have to reconfigure my email client to reflect the new password.

    Sometimes for fun, I just sit down and type in charlie1231492352342345324, and give onlookers the feeling that I have the world's most secure (and mostly numeric) password ever, after they realize that the password I just typed in actually works.

    What a secure system....
  • frogpelt, on 10/12/2007, -1/+5[Reported by Diggers as Possibly Inaccurate]
  • izomiac, on 10/12/2007, -1/+4I think what he meant was if the op lost his USB key he'd be unable to remember any of his passwords. Even if it was backed-up (an obvious thing to do in this case), if he lost it while on a trip or something he'd be kinda screwed.

    I used to do that myself, until I broke the connector off my USB key (and have been lazy about soldering it back on). Now I keep a 26 x 26 matrix of random letters and numbers on a small sheet of paper in my wallet. Each row & column is labeled with a letter, and each of the 8 directions is labeled with 3 or 4 letters. On the back is a list of words like "box8", "realbox12", and "win32". The first and second letters tell me the column and row of the first letter of the password, and the third tells me its orientation in the matrix. The number is the length. The words also remind me of what each password is for. So my passwords are fairly random, I keep the sheet in my wallet, and if my wallet were stolen chances are that the thief would have no idea what that was or how to read it. Plus, since I have to manually type the passwords I have my most common ones memorized just from using them.
  • paulius, on 10/12/2007, -1/+4I don't think that losing it would matter. The finder wouldn't knwo his PGP password to actually have access to the password. And the owner of that key would probably create a lot of backups everywhere. Servers, CD-ROM, computers, etc.
    Because nobody has access to them without knowing the master password, it doesn't matter where it resides.
  • zootm, on 10/12/2007, -1/+4Misconception #13: Any system is secure.
  • fatdog789, on 10/12/2007, -7/+9My favorite was when the article contradicted itself...repeatedly.

    Marked as inaccurate.
  • TylerDurden0, on 10/12/2007, -0/+2Is that your mother or your wife?
  • dubbin, on 10/12/2007, -0/+2The best passwords are ones that use non-words, such as "strenth".
  • dacheetah, on 10/12/2007, -1/+3At uni it is required that we change our account passwords regularly, it gets annoying, but it doesn't seem to mind me changing the password back as soon as it's changed. No-one knows my password, it's a rather long, rather complex password, and there isn't really much cause for anyone to try to get my password, as such I'm not too worried about using the same password indefinately, it saves alot of trouble since my memory is like a sieve.
  • spyrochaete, on 10/12/2007, -2/+4Unless you want to crack Windows 2003 the article is newer than all other MS OSes. Password encryption hasn't changed in any current or legacy OSes or NOSes.
  • Desolite, on 10/12/2007, -1/+3i think the most secure part of my computer is the fact that its locked in my room locked in my house... and the fact that theres nothing good on it anyway
  • starquake, on 10/12/2007, -0/+2or so he said...
    myth #11 it's safe to give passwords to trusted people
  • FluffyArmada, on 10/12/2007, -2/+4off topic much?
  • wistar, on 10/12/2007, -0/+1It's about 70 or so days where I connect. Pain. It does cause me to have to think hard about password themes, mnemonics, etc., whatever works to allow me to create a memorable password that passes the complexity rules and contains no fragments of the prior password.

    I find that if I immediately use the password a few times it sticks.
  • leapingfrog, on 10/12/2007, -0/+1"While [random passwords] may in fact be strong passwords, they are usually difficult to remember, slow to type, and sometimes vulnerable to attacks against the password generating algorithm."

    The great thing about random passwords is if you need to tell anyone your password, they forget it immediately. For example, a friend needed to login to my computer yesterday. I told him the password, and he forgot it immediately...
  • inactive, on 10/12/2007, -0/+1the best advice i think is somehting you remember easily yet nobody wuld guess,

    also i dont think ophcrack can crack pass longer then 15 caracters so wuld about just running your hand acros the keys like 1234567890qwertyuio there that took two seconds to type in and is easy to remember and is uncrackable
  • bitswapper, on 10/12/2007, -0/+1Google for FIPS-181 for good password generation code. Not perfect, but good for memorable hard to guess passwords.
  • FluffyArmada, on 10/12/2007, -1/+2So... is a pass-paragraph a bad thing? Am I screwed? Am I the only person that has a few lines out of a Shakespearean play as his password? :) [ I actually choose a different book every week... and just in case I forget, I have a special password bookmark which will indicate to *me* (and now the rest of the digg community) which book has my password in it. :) ]
  • Skeithy, on 10/12/2007, -1/+2Using alternate capitals, and replacing words with shorthand, numbers, and symbols could create an nearly unbreakable password. Who'd a thought taking any conversation from any person on aim could net you the ultimate password.
  • socokoolaid, on 10/12/2007, -0/+1The myth 2 was just saying that password generator algorithms could be known, making the complex looking password nothing more than a common algorithm. That wasn't a contradiction.
  • zdiggler, on 10/12/2007, -0/+1I don't know if you guys have wildblue or not. Their portal when you log in your usrername and password show up breifly on the URL bar If you set it to remember it show up on webserver log of last visited webserver.
  • socokoolaid, on 10/12/2007, -0/+1Despite the article's age, I believe it has some good information. I don't believe it contradicted it's self. I think I definitely learned a few things, even being a hard core password user. I personally didn't realize you could use spaces in Windows passwords and found the LanMan hash info about more than 14 characters pretty interesting. Dugg.
  • Jonsey, on 10/12/2007, -0/+1A very good read, my password probably isn't the best, should work on it.

    Also, another tip, try not to use the same password for every website, namely using another password for other slighly "sketchy" sites, often they are stored in plain text, and anyone who runs that site can easily get your password.
  • welshie, on 10/12/2007, -0/+1Windows and cached credentials: Have you ever tried taking a laptop that is part of a domain off the network for a long period, then having your domain password expire while you're away from the office network. It won't let you log in, to be able to log in and fire up the VPN to re-authenticate. Chicken meet egg.
  • betona, on 10/12/2007, -1/+2My former employer required frequent changes to login, so I finally took my password and added a counter to the end of it so that it was password 22, then password23, etc. I got up to number 43 in 7 years--there's no way I could've kept up with that many completely different ones.
  • davdav, on 10/12/2007, -0/+1doiop.com/pass
  • moisie, on 10/12/2007, -1/+2I have a site I use at work and it forces me to change every 30 days and won't let me use an old password again. As a result I just increment the number by one each time. It's not a site with any data I value so I don't care, when I queried this they said it was the most secure way ie someone told them it was and they know no different. They also force me to use IE for no reason, I told them I prefer to use another browser out of security concerns to which the reply was that their site used https so was totally secure. I tried to point out that even if that was 100% true, I wasn't worried about their site, I was worried about IE. Apparently everyone uses IE since it's the best you can get and is what is recommended by Microsoft.
  • Adoozie, on 10/12/2007, -0/+1Since I didn't realize the article was so old, I'll repost a comment here that I posted there:

    While most of the advice here is good, some of it is just garbage.

    Using familiar structures like phone numbers, file paths, or emails is a great way to improve the likelihood that your password can be guessed -- not cracked, just GUESSED. After a couple of days of use, a skilled typist can enter Dj#wP3M$c just as fast as anything else.

    The example of replacing "j0hn" with "j()hn" is a terrible one. If a cracker is going around replacing o with 0, why wouldn't they also replace o with ()? Parentheses are harly any more unpredictable than numbers are. Better to stay away from names and words (or words with a few simple substitutions) entirely.
  • kimgh, on 10/12/2007, -1/+2Man! If you spell your password like that para, you're safe from a dictionary attack!
  • gsmithEIDW, on 10/12/2007, -0/+1yes but that backup shouldn't be your only backup! Of course you should have a backup that you don't carry with you as well. Good backup policies should always include such things as offline backup and a fireproof safe etc etc. But i think thats obvious to most digg readers.

    If a mugger takes both your flash keys, the data is encrypted so theres no data loss, only loss of the flash drives themselves. The reason for a second backup key is say if you're away at a conference and have a presentation on your flash drive and you loose it - you're in trouble. But if you had a second drive with you - say in your hotel room or something. That would be a lot easier than trying to get the data from a backup tape back at home or at the office which could be hundreds of miles away.
  • froz3ntear, on 10/12/2007, -0/+1The list for 8000 words that alternate between left and right hands isn't working. Does anyone have the list? I'm interested im it! lol.
  • Fetching more discussions...
    Show 51 - 78 of 78 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.