Password Security
By: Burt Ribet, Sr. Engineer
There are four basic encryption authentication protocols that Microsoft uses: Lan Manager (LM), NT Lan Manager (NTLMv1), NTLMv2, and Kerberos.
LM was Microsoft’s first attempt at an encryption/authentication. LM has a maximum of 14 characters and is case insensitive. It uses DES for encryption.
NTLMv1 was introduced in 1993 with Windows NT 3.1. It was a slight improvement because it was case-sensitive, but still had all the other weaknesses of LM.
The only reason not to disable LM and NTLM is for legacy devices; however, devices that still require these protocols are very few. You need to not only disable the protocols, but to also stop storing the hashes. The link below has a good description of how to do this:
NTLMv2 was introduced in Windows NT 4 SP 4 in 1998. NTLMv2 was leaps and bounds better than any of its predecessors. NTLMv2 allows up to 256 character passwords.
Kerberos is the newest encryption protocol that Microsoft uses. Kerberos requires an infrastructure and therefore is only implemented in a domain structure. Kerberos is NOT used if the computer or user is not in the domain. It is also not used if you connect to a computer through its IP address (\\192.168.1.101\c$) instead of its name (\\servername\c$). Kerberos is considered very secure.
Both NTLMv2 and Kerberos are very time sensitive. If the clock is off by more than 5 minutes both protocols will break and therefore not allow users to authenticate. This is a common problem when you have a device that has been working fine and then all of a sudden is not able to accept connections.
How long should a password be?
As you can see above the two easiest protocols to break are LM and NTLM. Both of these algorithms have a maximum length of 14 characters. If you create a password of 15 characters or greater, Windows will still create the hashes, but they won’t be valid.
The longer the password the more difficult it is to guess or crack. For instance, take a password that uses upper and lower case, number and common symbols. A seven character password has 75 trillion combinations. If you add one more character it would have 7.2 quadrillion combinations. Fifteen characters would have about 542 octillion combinations!
A normal workstation can try about 100 million passwords/sec. That sounds like a lot, but in the example above it would take around 23 years to crack the eight character password and 171 trillion years to crack the fifteen character password.
What characters should I use?
Just by adding a single additional symbol you have made it that much more difficult to guess/crack. For example, an eight character password with just upper and lower case letters and numbers has 218 trillion combinations. If you add the 33 “common symbols” there are 7.2 quadrillion combinations. This also makes it more difficult for crackers because they need to make the decision what characters to use to try to crack the password.
Passwords are SOOOO passé
I don’t suggest passwords; I suggest using pass phrases. A pass phrase like “What a beautiful day.” is much stronger than ”!#Hld%^&*yse”. The pass phrase contains upper and lower case letters and some common symbols (the spaces and period). If people used pass phrases they would be less likely to forget them therefore minimizing password resets. The user also would be less likely to write it down. Since it is easier to think of a pass phrase users might not fight having to change their passwords more often.
To sum it up, a pass phrase greater than 14 characters is the best password. In fact, with today’s technology in hardware and software, it is impossible to crack. Something to keep in mind is that your security is as good as your weakest link. If you follow the above password suggestions, this just pushes your weaknesses to another part of your network.