Password Security

from Tony Bradley, CISSP, MCSE2k, MCSA, A+

Sometimes Less Is More

Many system administrators force a password length of 8 characters and may even require a special character. In actuality, a 7 character password is more secure than an 8, 10 or even 12 character password on Windows NT systems. When Windows NT stores your password in its local archive it breaks it down into 7-character chunks, pads the chunks to fill 2 complete chunks and encodes each chunk separately. Because of this, passwords of 7 characters or 14 characters are harder to break than passwords of other lengths.

Using a popular and easily available tool like l0phtcrack (now sold as LC4 by security organization @Stake), a hacker can decrypt the passwords in the Windows NT database. Often when an administrator requires 8 character passwords with a special character, the user chooses something like “bradley$” rather than “gf%Uop4&”. When l0phtcrack starts to decode “bradley$” it will get the first chunk of 7 pretty quickly because it is a dictionary or commonly recognized word (which also happens to be easily obtainable personal information). The second chunk of 7 only contains 1 character- the “$” so it won’t take long to get that piece either.

Even in a situation where the user does enter a seemingly more complicated string it can offer clues. Lets say that the requirement is to have a 10 character password with letters, numbers and special characters. To keep it simple for the user to remember, he follows a pattern on the keyboard and enters “q1w2e3r4t5”. Windows NT will encode it as a chunk with “q1w2e3r” and a second chunk of “4t5----“. Having only 3 characters in the second chunk the password cracking utility will finish that piece faster. When the hacker finds that the end of the password follows the pattern of going from letters on the top row to the numbers row they can use this information to help them make educated guesses about the first 7 characters.

Later versions of Windows have expanded the maximum length beyond 14 characters and made it possible to have exceptionally more complicated passwords. The bottom line is that passwords are not 100% secure. Even a difficult password of 14 characters containing no identifiable words and using every character form you can think of can be broken given the right tool and enough time. You can’t use a password to keep out a dedicated hacker with too much time on their hands. But, to keep out the curious novice hackers you should try to use a combination of upper and lower case letters, numbers and special characters and a password length of 7 or 14 characters and make sure you change your password periodically- at least once every 30 to 45 days.