Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-04-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft helps you choose ?good passwords?.

Published: 2006-04-24
Last Updated: 2006-04-24 14:26:31 UTC
by donald smith (Version: 2)
0 comment(s)
Microsoft recently released a link to help you choose "good passwords"
http://www.microsoft.com/athome/security/privacy/password_checker.mspx

In my opinion they did some things good and some things bad.

BAD teaching people to type their password into a website is not a good idea.
It violates most corporation's security policies.

GOOD it's a javascript that appears to run locally so your password is never sent over the internet. This could change at anytime so I would not recommend you type your password into it.

BAD the Javascript doesn't appear to check for repeated chars and other weak passwords generation tricks. It determines the strength based solely on the mix of char sets and the length of password. It appears they use four sets of characters:
Numbers, lower case letters, upper case letters and special.
alpha = [ a-z ]
UPPER = [ A-Z ]
num = [ 0-9 ]
special = not [ alpha | UPPER | num ]

GOOD They didn't include a dictionary or brute force lookup tool.
There are plenty of them on the net and inclusion would have meant downloading huge dictionaries or sending the password to a system on the net for testing. If Microsoft has compiled a dictionary with a high rate for passwords I don't want them to publish it!
My personal recommendation for dictionary or brute force password checking is to do it on a STANDALONE system and protect the output at the highest level of any data in your corporation.

GOOD their suggestions here are good.
http://www.microsoft.com/athome/security/privacy/password.mspx

This appears to be the basic pattern for this java password testing tool.
Any combination of chars from JUST one of these sets (UPPER, alpha, num, special) is weak.
7 or less chars from any mixture of sets is weak.
7 or more of one set plus one from a different set is medium.
8 chars with at least one element from 3 different sets is strong.
14 chars or more with at least one element from at least 3 of the sets is best.
Even if that's 12 a's, 1, and ! (shifted 1).

My recommendations: Don't use the Microsoft javascript password testing tool or anyone's online password testing tool. Choose good passwords. Microsoft's recommendations for choosing good passwords is pretty good.
Keywords:
0 comment(s)
Diary Archives