Reaching Password Nirvana

Using password filters and longer passphrases will help keep your passwords from being cracked.

• By Derek Melber
• November 01, 2004

It's no secret that the best way to increase the crack time for a password is to increase the password's complexity. While you can—and should—encourage your users to employ complex passwords (see the Tip Box), the trick is ensuring that they actually do it.

The most well-known way to do that is to use the Account Policies located in every Group Policy Object. Here you can configure the following password rules:

• Minimum length: Increase to at least 14 characters.
• Minimum age: Needs to be at least one day. This is to ensure that users can't "cycle" through the password history in minutes to get back to their original password.
• Maximum age: Set at no more than 45 days.
• History: Set at a minimum of 24 passwords remembered.
• Password complexity: While this setting should be enabled, using a custom password filter is an even better solution.

A custom password filter, which can check the password for almost any rule you may want to enforce, moves your password policy to the next level. The Windows password complexity setting, for example, requires only three different types of characters. Your custom password filter could require at least one of each of the five different types of characters (upper case, lower case, numeric, non-alphanumeric [such as $, %, &] and UNICODE characters).

The problem is complex passwords are more difficult for users to remember, which may encourage them to do the unthinkable: write their passwords down on the proverbial sticky note. On top of that, new tools like Rainbow Crack leverage pre-generated hash tables to crack passwords; even long, complex ones that use myriad non-alphanumeric characters.

A better option is to use a password filter to force users to create passwords even longer than the default Windows Password Policy of 14 characters. The trick now becomes getting users to think not about passwords, but passphrases. A passphrase like "I live in Phoenix and love the dry heat," is simple to remember yet more secure than a password such as Ph03nLx, which can be cracked with Rainbow Crack in only a few seconds.

Another way to ensure passwords aren't cracked is to eliminate from your computers weaker password hashes that can be easily cracked, such as the LAN Manager (LM) hash stored on most Windows computers by default. To remove the LM password hash, you need to configure the LAN Manager options in a GPO, which will update the Registry for the NoLMHash value. As a side note, if you use long passwords, there will be no LM hash, because it only supports passwords that have 14 or fewer characters.

You should also make sure that clients don't send the LM hash across the network in an attempt to authenticate, which they can do even if you remove the hash from the client PC. Likewise, you do not want domain controllers to accept LM hash authentication requests from clients. To configure this setting, use a GPO and configure the LAN manager authentication level, choosing the two options that include "refuse LM."

The combination of password filters and longer passwords can go a long way toward helping you reach password nirvana. Just remember that longer passwords are stronger passwords, while passphrases are easier to remember and harder to crack.