Robert Hensing writes a very interesting and controversial article where he recommends not to use any kind of passwords on a Windows network?

Why you ask? Well because passwords are very easily cracked and worms such as Agobot / Phatbot / Polybot / SDBot / RBot  / etc. ship with boat-loads of dictionaries of passwords. Not to mention that either automated or human attackers don’t even need to guess the password as there are many hacking tools that will let a miscreant sniff your network traffic to get the authentication material for the LM, NTLM and Kerberos protocols and then brute-force that material back into a working password. You can try and protect the network with segmentation, encryption (IPSec etc.) and even 802.1x , etc. but really they just workaround with the inherent vulnerability in your network which is - the password.

So what is the solution? Instead of using passwords, you should try and use pass-PHRASES.  What is a pass-phrase? To quote Robert: “Let’s take a look at some of my recent pass-phrases that I’ve used inside Microsoft for my ‘password’ :

  • “If we weren’t all crazy we would go insane“ (Jimmy Buffet rules)
  • “Send the pain below!“ (I like Chevell too)
  • “Mean people suck!“ (it’s true)”

Pass phrases are great because: they meet all password complexity requirements, they are so easy to remember and lastly with the most advanced hardware you are not going to guess / crack / brute-force or pre-compute these passwords in the 70 days or so that they were around (remember you only need the password to survive attack long enough for you to change the password).

So, is that the real solution? What of two-factor authentication - say using a Safe-word token / smart-card in addition top your password (always), is that good enough? What do you think? Also, read up on the original article many interesting comments there.