(parole – word) is a secret word or character set designed to confirm the identity or authority. Passwords are often used to protect information from unauthorized access. In most computer systems, the combination “user name – password” is used to authenticate the user.


Security technologies are constantly being improved, only one aspect that plays a central function is the existence of passwords. But after all, they are the simplest tool for hacking an attacker. There are many policies and technologies that try to make passwords more stable, but the human factor has not been canceled. Everyone has long known that passwords usually use the names of close people, nicknames of animals, date of birth, etc.

The main problem is that users make reliable passwords. However, it is not entirely clear how to achieve this. After all, even in the list of completely random words that an ordinary person comes up with, there is a certain pattern, that is, these actions can be predicted. Therefore, the policy of selecting reliable passwords requires a careful approach, system administrators should conduct appropriate training among users. Consider the main misconceptions about passwords in Windows, which are among people.

When using NTLMv2 password hashes are reliable.

Many people know the weakness of the password hashes LanManager (LM), which led to popularity, in particular, the means L0phtcrack. NTLM allows you to make more stable hashes of passwords, since this tool uses a longer hash and allows you to distinguish between lowercase and uppercase letters. NTLMv2 is an even more advanced tool, it uses a 128-bit key, private keys are used for confidentiality and integrity. For higher integrity, the HMAC-MD5 algorithm is used. Only here, Windows 2000, as before, often sends LM and NTLM hashes over the network, and NTLMv2 remains vulnerable to attacks like replay (during transmission). Since the registry also stores password hashes LM and NTLM, the vulnerability of attacks on SAM is preserved. It is necessary to wait some more time, while we get rid of the limitations of LanManager, while we should hope for the reliability of the password hashes.

The best password is Gfh% w3M @ x.

The common myth says that the best password is the one that is obtained with the help of a special generator. However, this is not entirely true. The fact is that although such passwords can be quite stable, however, they are extremely difficult to remember by users, they are slowly introduced, besides they are vulnerable to special attacks on the algorithm for generating passwords. Stable for cracking passwords to create easily, but then immediately there is a problem with their memorability. Let’s try to consider a few simple tricks. For example, consider the password This e-mail address is being protected from spam bots. To see it in our browser, you need to enable java-script support. This password uses uppercase and lowercase letters, two numbers and two characters. The length of this password is as much as 16 characters, but it’s not hard to remember it. And to type such a password is easy enough. You can choose such words so that when they are typed, the movements of the fingers of the right and left hands alternate, this will give a set of speed and reduce the likelihood that someone will peek at the password based on observations of finger movements. There are even special lists of English words, which are typed by alternating keys under the right and left hand. Therefore, the use of structures that are easy to remember is the best technique for creating complex passwords, which, moreover, will be easily remembered. During the use of such structures, it is easy to insert punctuation marks into the password, for example, in the e-mail address, as in the example above. Other such structures may be telephone numbers, addresses, file-paths, URLs, and so on.It is necessary to pay attention to some elements that make it easier to memorize. These can be the use of rhymes, humor, repetitions and patterns, as well as rude and even obscene words. As a result, a password will appear on the output, which will be extremely difficult to forget.

The optimal password length is 14 characters.

In LM, password hashes are divided into two seven-character hashes. In fact, this approach makes passwords more vulnerable, since brute-force attack (or brute force attack) can be applied simultaneously to each half of the password. The 9-character password will also be divided into two parts – a 7-character hash and a two-character one. It’s easy to guess that hacking a two-character hash will take a little while, but a seven-character hash takes a little more time, but it also is characterized by hours. Often, a short piece can greatly facilitate the breaking of a long piece. It is for this reason that many professionals recommend having a password with an optimal length of 7 or 14 characters, which will correspond to two 7-character hashes. In NTLM, the situation is improved by using all 14 characters to store password hashes. This really makes life easier, only the NT dialog box limits the password to 14 characters, so the system “hints” that exactly such a password length will be optimal for security. In newer versions of Windows, things are different, in Windows 2000 and XP passwords can already be up to 127 characters long, there are no restrictions on 14 characters anymore. Moreover, the following circumstance has opened: if the password is longer than 14 characters, then Windows does not even store LanMan hashes properly. As a LM hash, there is a constant that is equivalent to a zero password. Since the password, of course, is not zero, then it will not be possible to crack this hash. Given this, the use of passwords with a length of 14 characters would be a good solution. Only here it is possible to implement this with the help of security templates or group policy, since no one can set a minimum password length of 15 characters.

A good combination of M1chael99 is a good password.

According to the requirements for the complexity of passwords put forward by Windows 2000, this combination is suitable, although in reality it is not at all complicated. Today, password cracking programs search millions of combinations per second, they do not need to replace the letter “i” with the number “1” and back or add a couple of digits to the end of the word. Some programs even test such sets of methods used by users, selecting long and seemingly reliable passwords. Therefore, it should be more unpredictable. Instead of replacing “o” with “0”, you can try to use two parentheses “()”, instead of “1” you can try using the “l” character. Do not also forget that stability will certainly increase with the lengthening of the password.

Sooner or later any password can be hacked.

First of all, it’s worth mentioning the ways that accurately allow you to find out the password, for example, using a keyboard simulator or using social engineering. However, abstracting from them, we can say with confidence that there are ways to create passwords that can not be hacked for an acceptable time. First of all, if the password is long, then hacking it will take quite a lot of time or computing resources, which is the same as using an unbreakable password. Theoretically speaking, any password can be hacked, but this can happen no longer with our life and not even with our grandchildren. Thus, if the password is selected not by a government structure with the corresponding computing capacities, then there is practically no chance to find out the password. Although the computer technology moves forward with leaps and bounds, this myth can become a reality once.

Passwords must be changed on a monthly basis.

This tip is good for some passwords with low security, only for ordinary users it does not fit.After all, this requirement forces users to use each time they change a fairly predictable password or use some methods that reduce the effectiveness of security. And I do not like the user constantly every 30 days to come up with new passwords and remember them to the same. Instead of age-limiting passwords, it is better to focus on creating more sustainable, increase the competence of users. For the average user, there is enough time in 3-4 months to store the password. This step, giving people more time, will give an opportunity to convince them to use more complex passwords.

It is strictly forbidden to write down your password anywhere.

Although many people try to follow this advice, sometimes they have to write down their passwords. In this case, users feel more comfortable when creating a complex password, because they will be sure that even if they forget it, they will be able to read it in a safe place. You should pay attention to how to correctly write passwords. Of course, it’s silly to write down the password on the sticker on the monitor, but storing paper with a password in the safe or at least a locked box can be a sufficient measure. Do not neglect the security of getting rid of paper with an old password, many of the hacking just happened because the hackers carefully looked through the garbage of the organization in search of the old passwords written. Often, users resort to the idea of ​​saving their passwords in specialized software utilities. In such products, it is possible to save multiple passwords that are protected by the master password. However, its loss is fraught with the fact that an attacker will have access right away to the entire list of passwords. Therefore, before allowing users to save passwords using such tools, the following nuances should be considered. First, it is a software method, therefore, it is vulnerable to attack, and secondly, the master password itself can be the only reason for the failure of all user passwords at once. Often, the master password is also quite simple. It would be best to combine physical security, company policy and the application of technology. Sometimes passwords just need to be documented. It happens that the system administrator is sick or resigned. But it is often the only person who knows the administrator’s passwords for access, including servers. Often even it is necessary to approve the writing of passwords, of course this step should be extremely thoughtful and used in extreme cases.

There must not be any spaces in the password.

Despite the fact that users are not in high demand, Windows XP and Windows 2000 allow using passwords and spaces. In fact, if such a symbol exists in Windows, then it can be used in the password. Thus, the space is a perfectly acceptable symbol for the password. However, some applications are truncated with spaces, so it’s better to not use a space at the very beginning and end of the password. By using spaces, by the way, users can create more complex passwords. Since this symbol can be used between words, you can come up with passwords from several words with it. With a gap in general there was an interesting situation, since it does not fall under any of the categories of password complexity in Windows. After all, this is not a letter, not a figure, and it is not considered a symbol in general. Thus, if there is a desire to make the password more complex, then the space is no worse than any other symbol, its use in most cases of password complexity does not reduce. However, we can not fail to mention one significant shortcoming that occurs when using a blank. Its key, when pressed, creates a unique sound, which can not be confused with anything. Therefore, the use of a space in the password is given a unique sound. Therefore, you can use gaps in general, but do not abuse it.

You should use the Passfilt.dll library.

This library forces users to create strong passwords. In Windows XP and 2000, this happens through a system policy that defines the complexity requirements for it. Although this policy is pretty good, many users get frustrated when it turns out that their passwords are not suitable, because they are not complex enough. It happens that even experienced administrators can not immediately enter a password until it passes the requirements of complexity. Not surprisingly, users will not like this measure, they are unlikely to support the password security policy. In this situation, the best way out is to require long passwords instead of this policy. If you do the calculations, it turns out that the 9-character password, in which the letters are in lowercase in complexity, is about the same as the 7-character password, in which the letters of both registers and numbers are used. The only difference is how programs for hacking passwords handle different subsets. Some of these tools in the beginning sort out all combinations of letters in lower case and only after that they start to consider options using numbers and other symbols. You can also use the Platform SDK sample, changing it so that it is more forgiving in choosing a password. An important step in this direction will be the organization of work with users, training them to complicate passwords, providing them with the necessary ideas.

For the most stable password, use ALT + 255.

To debunk this myth, let’s look at the use of symbols with large ASCII code, this should complicate the password. On the keyboard, they can not be naturally typed, but by holding ALT and typing the character code on the keyboard, you can enter it. Sometimes this method can be useful, but immediately turn to its shortcomings. First of all, holding down the ALT key and then entering numbers can be easily noticed by others, and secondly, creating one such symbol will require pressing five keys at once. It might be worthwhile simply to make the password longer by this number of characters than each time to enter with the help of an intricate combination in fact one character. So, a password of 5 characters that are entered using a large ASCII code will require 25 clicks. The total number of combinations for such a length will obviously be 255 ^ 5, but for a 25-character password created only from lowercase letters, the number of combinations is 26 ^ 25, which is incommensurably larger. So it’s better to use long passwords. It is also important to remember that in some portable computers the keyboards do not always allow entering the code from the numeric keypad, and not all command line utilities support passwords using ASCII codes. For example, ALT + 0127 in Windows can be used, but it can not be typed in the command line. Conversely, the codes of some characters can be typed in the command line, but in the Windows dialog boxes they can not be used (ALT + 0009, ALT + 0010, etc.). In rare cases, such disagreements can be very inconvenient. However, the use of extended character codes is often useful and justified. For example, in the case of using a service account or a local administrator who is rarely used, the use of extended characters deserves extra pressing of several keys. This approach can be a sufficient guarantee against hacking, since few password hackers are configured to handle extended characters. In such cases, do not dwell on the large ASCII code. It turns out, in fact, you can use the full set of Unicode, which has 65535 characters. However, we should not forget that the character ALT + 64113 will still not be as stable as an equal number of keystrokes with normal characters. In the end, let’s pay attention to the use of an indissoluble space with the code ALT + 0160. This symbol is displayed as a normal space and can deceive someone who accidentally saw your password.For example, if you use the keyboard logger, an unbreakable password in the log file will look like an ordinary space. If the attacker does not look at the actual ASCII code and does not know anything about an indissoluble blank, then the received password will not do anything.

Add a Comment