Got a question? Call 1800 853 276   |   
Contact usCheckoutContact us

Tales from the Certified Hacker: Passwords

By DDLS Webmaster | 22 September 2017

The current trend for secure passwords is that we pick a word, change some of the characters around, and come up with what we believe is a good password, for example, picking on the word ‘password’, we might be tempted to turn it into a complex password by changing it to use upper case, lower case, special characters and numbers resulting in: Pa$$w0rd. This will comply with an 8-character complex password policy.

To make matters worse, the IT department may insist on us changing our password every 30 or 40 days. This encourages us to pick a simple short term memorable password which will contain an acquaintance’s name and date. If, for example, we might have a friend named Mary who we know was born in 10 December 1995, we could use the password Mary10Dec1995. This will comply with the Microsoft complex password policy requiring three of the four upper and lower case, special characters and numbers, but a simple search of a user’s social media pages exposes such a password.

So, what should we do? At work, the password policy is managed by your Domain Administrator. While your admin may require a complex ten-character password, you are not restricted in making it more complex. A password greater than 14 characters makes it more difficult for hackers to extract your password from a computer without keyloggers, as the time-honoured LAN Manager / New Technology LAN Manager hashing system then stores an invalid hash of the password which cannot be used to authenticate the user. In this case, we force Kerberos authentication, which may stop us connecting to NT4/Windows98 machines, but these days it would be pretty rare.

For users, then: create a pass phrase. A pass phrase such as, ‘I have 2 pets, a cat named Fluffy and a dog named Woofy’ would take a lot longer to crack as it has 55 characters and complies with complexity requirements. We would, of course, not use the names of our pets, but this is just an example of how we can formulate our passwords.

For administrators: Increase the password expiry to 90 or 120 days, and run L0phtCrack – with the permission of management, of course – after which a password change for users would be necessary. This will expose weak passwords generated by users. Service passwords should be using Managed Service Accounts, which on a Microsoft system generates passwords greater than 100 characters every 30 days for those services using the Managed Service Account system.

Stay safe, Terry Griffin


Feature Articles


Blog
2024-2025 Government Budget: Focusing investment in cyber security skilling
By Jeremy Daly | 1 July 2024
Read
Blog
The Growing Importance of Management Skills and the AMA CPM Certification in 2024
By Gary Duffield | 29 July 2024
Read
Blog
The ASD’s Essential Eight: How to Implement Cyber Security Strategies with Training
By Leif Pedersen | 14 October 2024
Read
Blog
5 Common RPL Challenges and How to Overcome Them
By Shanil Sharma | 15 August 2024
Read
Blog
Transforming Your Business and Workforce with Microsoft AI Training
By Leif Pedersen | 30 July 2024
Read
Blog
Security maturity is not a technical-only problem - invest in your people
By Jeremy Daly | 11 November 2024
Read