We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,937 News Articles

Five password-security myths exposed

We separate fact from fiction

Passwords are a critical line of defence between your sensitive data and prying eyes, so separating fact from fiction about password security is a must.

When it comes to passwords, companies are constantly looking at new ways to ensure staff use the strongest passwords possible.

Unfortunately, there's still ample confusion in how to strengthen password policies and to mitigate password-focused attacks. I found dozens of mistakes in various security portals' password-hacking whitepapers, seen respected security vendors recommending incorrect mitigations to conflated attacks, and took note of highly knowledgeable security teams operating on mistaken assumptions.

I understand the confusion: There are many different types of password attacks (and defences) and so much incorrect information on the internet. The following are a few myths about password security that often surprise even the most seasoned security admins.

For starters, many admins think that password information retrieved from locally stored Windows profiles can be used in pass-the-hash attacks. In reality, the password verifiers stored in local profiles are extremely resilient against cracking - up to tens of thousands of times harder to crack than a normal password hashes. What's more, they can't be used in pass-the-hash attacks at all.

Another common misconception: Any Windows password up to 14 characters in length can be quickly cracked using rainbow tables and clouds of GPU-equipped, superfast computers. In fact, if the LAN Manager hash is disabled, even 10- to 12-character passwords are extremely tough to crack.

Most password enforcers think that complexity beats length when strengthening password policies. It only works that way in the classroom. In the real world, length will give you far more protection than complexity; though you may give users 64,000 different symbols to choose among for their password, most people use the same 40 or so characters.

Yet another common misconception is that password hashes or passwords can be retrieved from server memory for users accessing files on password-protected drive shares. This is not true, at least for Windows file sharing, although relevant password information can be retrieved for interactively logged-on users.

NEXT PAGE: Can you prevent pasword hacking?

  1. We separate fact from fiction
  2. Can you prevent pasword hacking?


IDG UK Sites

Android One vs Android Silver vs Google Nexus: What is the difference?

IDG UK Sites

iOS 8 review: Hands on with the iOS 8 beta

IDG UK Sites

Thinking robots: The philosophy of artificial intelligence and evolving technology

IDG UK Sites

How to shoot a robot rom-com in three days