MalwareTeks Blog

I’ve come the conclusion, that the writer’s for main stream technical publications; are just as over-the-top, as any other journalist.

Very recently, some one discovered the Microsoft article, Strong passwords: How to create and use them, published 22 March, 2006. It’s 2 years old. The article as you can imagine is about creating strong passwords. About two-thirds down the page, you encounter this: The “blank password” option.

The author of the article goes on to say at this point, “A blank password (no password at all) on your account is more secure than a weak password such as “1234″.” Whoa, wait-a-minute, what the… Then he/she clarifies that statement, be explaining what he/she means.

What’s so special about a blank password? On a computer with Windows XP or newer installed, an account without a password cannot be accessed remotely by means such as a network or the Internet.

If the default settings have not been altered by the system user.

Under very specific conditions, and somewhat rare, the use of a blank password is just fine.

• You only have one computer or you have several computers but you do not need to access information on one computer from another one
• The computer is physically secure (you trust everyone who has physical access to the computer)

The second bullet is the most difficult condition to meet.

So, this passage of the MS article has been translated into “Blank Passwords Are More Secure” by the technical media. Have you lost your minds? Get real! The average non-technical reader is going to take that as gospel, and switch to using no password at all. Which, I have no doubt that many are doing so or using something like “password1″ or “1234″.

Now here comes my thoughts of the subject:

The sheer lunacy of even suggesting using a blank password for local log-on. That’s the first thing a hacker will try, when sitting in front of a terminal.

Forcing local log-in using a strong password is meant to prevent unauthorized access to the local system; and if the system is configured properly, you’ll be locked out after x number of failed attempts. Which, means reboot and start over. Brute force attacks aren’t effective when the system in configured correctly; and a hacker won’t spend that much time trying to get into the system.

If the system is connected to a network, then Network log-on should be required, and if that is configured properly; not only are you locked out of the system after x number of failed attempts, you are locked out of the network. Until the Network Administrator resets your account and issues you a new password.

There’s been a lot of articles talking about password strength, password security, password cracking of late. None of them, absolutely none of them, with the exception of the MS article, talk about the use of pass phrases of 15 character or greater in length. Why a pass phrase 15 characters or longer? They can not be broken by existing methods. They can be captured by keyloggers.

If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

These articles also fail to point out that the hacker must have access, either remotely or locally, to crack a password. If they have access to the system, then they don’t need to crack the password. There are far more reliable (quicker) methods of compromising a system, Social Engineering attacks leading the way.

The rest of the Microsoft article, Strong passwords: How to create and use them, gives very sound advice on creating strong passwords. You should read it, following the advice given on that page will go a long ways to making your online experience a safer one.

Creating strong passwords and keeping them private, is just one piece of the security puzzle; a very critical piece, but still just one piece.