Robert Hensing of Microsoft’s Security Incident Response Team has apparently been upgraded to MS Employee 2.0, or fallen victim to whatever it is that’s making those MS guys start blogging en masse lately.
His first post is a whopper: Why you shouldn’t be using passwords of any kind on your Windows networks. Yowza. Keep in mind, this is from an MS security guru.
He goes on to point out a little known feature of the NT-series operating systems. Passwords can be up to 128 characters long. His solution is to use pass-phrases — short sentences that you can easily remember as a password. Definitely a must-read if you’re at all involved with your company’s Windows network security. If you’re not, send the link to whoever is (after all, shouldn’t they be reading Gadgetopia anyway? :-)
Here’s my favorite quote of the day:
Lots of ‘security consultants’ like to terrorize our customers by doing penetration tests, sniffing some network authentication exchanges, cracking the easily determined passwords, then gaining access to a DC, dumping out all of the password hashes and then cracking most if not all of those using rainbow tables and then using that as evidence you should switch to Linux! (bah!)
Those jerks! How dare security consultants point out legitimate Windows vulnerabilities! And then they have the audacity to suggest that something else is more secure?! Umbrage! Umbrage!