Why you shouldn't be using passwords of any kind on your Windows networks

Robert Hensing writes a very interesting and controversial article where he recommends not to use any kind of passwords on a Windows network?

Why you ask? Well because passwords are very easily cracked and worms such as Agobot / Phatbot / Polybot / SDBot / RBot / etc. ship with boat-loads of dictionaries of passwords. Not to mention that either automated or human attackers don’t even need to guess the password as there are many hacking tools that will let a miscreant sniff your network traffic to get the authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password. You can try and protect the network with segmentation, encryption (IPSec etc.) and even 802.1x , etc. but really they just workaround with the inherent vulnerability in your network which is – the password.

So what is the solution? Instead of using passwords, you should try and use pass-PHRASES.  What is a pass-phrase? To quote Robert: “Let’s take a look at some of my recent pass-phrases that I’ve used inside Microsoft for my ‘password’ :

  • “If we weren’t all crazy we would go insane“ (Jimmy Buffet rules)
  • “Send the pain below!“ (I like Chevell too)
  • “Mean people suck!“ (it’s true)”

Pass phrases are great because: they meet all password complexity requirements, they are so easy to remember and lastly with the most advanced hardware you are not going to guess / crack / brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).

So, is that the real solution? What of two-factor authentication – say using a Safe-word token / smart-card in addition top your password (always), is that good enough? What do you think? Also, read up on the original article many interesting comments there.

Published by

Amit Bahree

This blog is my personal blog and while it does reflect my experiences in my professional life, this is just my thoughts. Most of the entries are technical though sometimes they can vary from the wacky to even political – however that is quite rare. Quite often, I have been asked what’s up with the “gibberish” and the funny title of the blog? Some people even going the extra step to say that, this is a virus that infected their system (ahem) well. [:D] It actually is quite simple, and if you have still not figured out then check out this link – whats in a name?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.