MS Employee Calls for No More Passwords

BobPaul writes "On his blog, Robert Hensing of the Microsoft PSS Security Team makes a really convincing argument for the abolishment of complicated passwords. He argues that precomputed hash tables, network sniffing, and programs like LoftCrack make passwords obsolete and dangerous in the windows environment. What does he recommend in their place? Passphrases: sentences and quotes that are easy to remember but may be more than 30 or 40 characters in length. With many companies requiring frequent password changes, (and we know exactly where that leads) this is a simple idea I'm surprised more people haven't been doing this more often."

Excellent!

[PedanticSpellingTrol]

Now replacing my brute force wordlists with "He's dead, Jim", "In soviet russia, passphrases validate YOU" and "passwords are for old korean people" will allow root access to 90% of the internet.

In other news Microsoft is waaayy ahead of him...

[rune2]

With all of the vulnerabilities and exploits in Windows who needs a password anyways? ;-)

password vs. passphrase

[CoolCash]

So when the user creates there password it will be: "This is my passphrase" instead of "password"

Only a few thousand years behind...

[physicsphairy]

And I quote, "Open Sesame!"

My passphrase...

[Noryungi]

In many companies where I worked, for kind of reason, my passphrase always ended up as:

• [name_of_boss]isabloodyidiot

or

• whatabloodyidiot[name_of_boss]is

Make of that what you want, but:

• it's always accepted by whatever program is in charge of checking password
• it's easy to remember, yet hard to crack (unless you know me and the bloody^W... er... boss...
• it always made me smile as this was the first thing I had to type in the morning

Of course, I changed the password to something more politically correct before leaving the companies....

Re:Biometrics

[Qzukk]

Biometrics, on the other hand, requires that you only have your body present at the time!

Or that someone else has your body present. Or just search google for jelly fingerprint to see how to duplicate other people's prints for fun and profit.

Biometrics is bound to stick around for a while, but the fad will hopefully fade before all my bank and credit card accounts get tied to my fingerprint and I have to have new prints carved into my fingers to replace the ones that some identity thief lifted off the scanner.

Re:password vs. passphrase

[Anonymous Coward]

No my passphrase is this:

Microsoft sux0rs really bad!

Which is just slightly harder to guess than "password".

No one will ever break my password!

[Nova Express]

It's the inscription on the One Ring, translated into Klingon, then rendered in l337! Three levels of Ubergeek encryption ensures maxiumum security!

Auto-completion

[sammyo]

ba ding :-)

Re:No one will ever break my password!

[Tenebrious1]

Crap... now I gotta go change all my passwords.

Re:Biometrics

[ScrewMaster]

because if you use a salted hash (chosen by the server)

That's true ... when I stop by our local Denny's for breakfast I let the waitress decide whether I get corned or roast beef with my eggs.

Re:Biometrics

[DrMrLordX]

You don't need to make gloves with someone else's fingerprints. All you need are gummy bears.

Gummy Bears! Bouncing here and there and everywhere! Foiling security beyond compare! They are the Gummy Bearrrrrrrrrrrs.

Re:Auto-completion

[craXORjack]

Or since it is Microsoft we are talking about:
[] Check this box to remember password

Re:One Question

[ftgow]

I'll stick my penis in a hole at the atm to take out 60 bucks, hell I usually pay someone ELSE 'quick cash' for the privledge.

(just kidding, im a sexually frustrated computer nerd like the rest of you.

question

[Anonymous Coward]

Suppose I make fake finger prints of "Carrot Top" or some other annoying guy and then wear glove and rob Fort Knox. While there I leave Carrot Top's fake finger prints all over everything.

Will Carrot Top go to jail?

This fella will probably suffer for disclosing

[melted]

that he's an MS empoyee, because what he suggested is stupid. People's vocabularies are not that extensive, so passphrases are easier to crack than they seem.

Multifactor auth is the only cure. I wish there was something available to implement it besides smartcards. Something that doesn't require a smart card reader and works everywhere, preferably something wireless within a few feet. You could do three-factor auth, even. This "something", pin code and biometric (fingerprint). That would be pretty darn cool.

Re:question

[Anonymous Coward]

> Will Carrot Top go to jail?

Let's hope so!

Re:Biometrics

[darkpixel2k]

Biometric authentication can't be changed. I can change a password, but I can't change my fingerprints.

Ooh...yea--that'll be the downfall of biometric authentication. Someone steals my retina and then all my accounts are 0wned for ever and ever...

Re:Biometrics

[darkpixel2k]

Besides, it IS possible even today to change the pattern of blood vessels on the retina using lasers - this is done all the time to treat diabetic retinopathy.

Good point, but anyone who wants to go through all that trouble is welcome to my slashdot account. ;)

Re:Passphrases are MUCH easier

[Anonymous Coward]

Dude, you pretty much figured out how to sell this, you just didn't put two and two together... you need to spread it around that PASSWORD length = PENIS length. Make sure the hot chicks in accounting are informed.

Re:Excellent!

[jayloden]

You forgot "My voice is my passport, verify me"

-Jay

Re:Biometrics

[Anonymous Coward]

Indeed, that's all the security I need.

Something I have... Smith and Wesson.

Something I know... How to freaking shoot.

Something I am... Bad MotherFucker.

*gets notepad*

[PsiPsiStar]

Loftcrack, you said?

Thanks. :)

Re:Passphrases are MUCH easier

[rolling_or_jaded]

"You mean we're going to have to add an 's' to the end of 'http', do you really expect 100 people to change their bookmarks! They've been using those bookmarks all year!" Insight from other admins very welcome. Ummm... a HTTP redirect to the new HTTPS URL? :)

Re:Biometrics

[Anonymous Coward]

Biometrics sounds good. We already know that people like to hop on to the Xerox machine and photocopy their butt. This could be promising.

Typical Microsoft-style innovation

[Dwonis]

We have created a great innovation: the abolishment of passwords. In their place, we introduce the new Windows Active DRM Passphrases.NET XP (TM) web service.

Patents pending.

Gummy bears?!?

[game kid]

You mean etching the fingerprints on those poor (but yummy) souls? My WTF-0-meter explodes at the very thought...

I totally agree with them

[RealBorg]

using any passwords with Microsoft products is futile. Passphrases cannot change that. Use any system designed with security in mind if you care.