Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Microsoft helps you choose “good passwords”. - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft helps you choose “good passwords”.
Microsoft recently released a link to help you choose "good passwords"
http://www.microsoft.com/athome/security/privacy/password_checker.mspx

In my opinion they did some things good and some things bad.

BAD teaching people to type their password into a website is not a good idea.
It violates most corporation's security policies.

GOOD it's a java applet that appears to run locally so your password is never sent over the internet. This could change at anytime so I would not recommend you type your password into it.

BAD the Java applet doesn't appear to check for repeated chars and other weak passwords generation tricks. It determines the strength based solely on the mix of char sets and the length of password. It appears they use four sets of characters:
Numbers, lower case letters, upper case letters and special.
alpha = [ a-z ]
UPPER = [ A-Z ]
num = [ 0-9 ]
special = not [ alpha | UPPER | num ]

GOOD They didn't include a dictionary or brute force lookup tool.
There are plenty of them on the net and inclusion would have meant downloading huge dictionaries or sending the password to a system on the net for testing. If Microsoft has compiled a dictionary with a high rate for passwords I don't want them to publish it!
My personal recommendation for dictionary or brute force password checking is to do it on a STANDALONE system and protect the output at the highest level of any data in your corporation.

GOOD their suggestions here are good.
http://www.microsoft.com/athome/security/privacy/password.mspx

This appears to be the basic pattern for this java password testing tool.
Any combination of chars from JUST one of these sets (UPPER, alpha, num, special) is weak.
7 or less chars from any mixture of sets is weak.
7 or more of one set plus one from a different set is medium.
8 chars with at least one element from 3 different sets is strong.
14 chars or more with at least one element from at least 3 of the sets is best.
Even if that's 12 a's, 1, and ! (shifted 1).

My recommendations: Don't use the Microsoft java password testing tool or anyone's online password testing tool. Choose good passwords. Microsoft's recommendations for choosing good passwords is pretty good.
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!