Microsoft Windows XP, Die ExpertentippsThis Tipp is out of the book:
Olaf Engelke, Nils Kaczenski, Holger Schwichtenberg,Ulf B. Simon-Weidner, Sandro Villinger:
Microsoft Windows XP - Die Expertentipps
Microsoft Press, ISBN 3-86063-075-X

Five german MVPs provide over 200 Tipps around Windows XP in the first "MVP-Book" for advanced homeusers. Especially security is a important part of the book and it is the first german book which covers the advanced security features of Service Pack 2.

Tipp 5.24: Using passphrases instead of passwords

»I want to keep my personal data on my computer secure. How am I able to protect myself against cracking my password?«

Many people don't know that their computer system is only as secure as the weakest part, and that is mostly the password. No matter how much I secure my system, as long as I allow to access the system via password (instead of using additional security measures like biometric devices or smartcards) the system is fully accessible if I know the useraccount with the matching password.

Todays password cracking applications are very effective, therefore there's no password which is »unbreakable«. About two years ago I was hired from a company to test their passwords, and using a »regular« computer it took only two days to retrieve even very complex, ten-letter passwords which were randomly created.

One of the major issues is that most people don't understand how a password should look like. This actually starts with using the word »password« - who said that it really needs to be a »word«? Passphrases are way more effective: After a password isn't crackable via a simple »dictionary attack« (this tries common words out of a dictionary) the cracking application needs to switch to the »brute force attack« which tries all possible combinations out of the character set. Therefore security of a complex password increases exponentially with its length. Not to forget mentioning that and a password shorter than 14 characters is usually stored using the least secure lm-hast encryption to provide compatibility to DOS-applications (see Tipp 5.30). Summary: A password should be as long as possible - at least longer than 14 characters - and it needs to be complex.

  1. Bond04
  2. V1v@ldi4
  3. iH$7Ay*h
  4. I like the 4 seasons of Vivaldi!
  5. My favorite CD was $29.99 @ the drugstore.

Looking at those examples clarifies that a good password or a good passphrase is not necessarily difficult to remember. While Example 1 - which I am quite sure we will find in many larger companies - will be cracked within seconds example 2 is not much better; characters in a dictionary word were replaced by characters which are somewhat similar. It meets complexity requirements, but is still easy to crack. Example 3 is much better, but is still able to be cracked within one or two days and the possibility to find it sticking on the screen or underneath the keyboard is pretty high since it's very hard to remember. Very good are the passphrases 4. and 5. above. They are easy to remember, and they fulfill the complexity requirements to avoid a »dictionary attack« and force the cracker to use a slow »brute force attack«.

But a good passphrase is only valuable if you change it on a regular basis. Ideally you are supposed to change it within the time a computer needs to crack it. If you have a passphrase beyond 25 characters it should be sufficient to change it within 4 - 8 weeks.

Note:Unfortunately there are quite a few applications and websites out there which don't take passphrases. If you use multiple applications which rely on the same username and password as the OS (for single sign on) I encourage you to test those applications after you've changed your password to a passphrase. These applications are a exception and should be changed. I've experienced at a couple companies that most applications which rely on Windows credentials are able to work with passphrases. If you use applications which won't take passphrases look at the following tipps in this book for ideas how to create secure passwords.



You are welcome to E-Mail comments, feedback or general Problems with this WebSite to the  WebMaster. The WebSites of WindowsServerFAQ.de and/or WindowsServerFAQ.org are not related to Microsoft Corp. USA or to Microsoft GmbH. Copyright 2004. ALL RIGHTS RESERVED. You have to accept the Disclaimer and the legal Annotations to use the WebSites of WindowsServerFAQ.de or WindowsServerFAQ.org.