Are strong Windows passwords needed?

Topic

New Reply

Windows 7/64 Notebook

Maybe this has been done to death somewhere in the lounge, but couldn’t find it.

1. I use a simple boot password (less than 8 lower case letters). I presume this is safe, because there seems no easy way for anyone to use a brute force method to extract the password. Or can they?

2. I require Ctrl Alt Del to log on – mainly to hopefully stop anyone who gains remote access to the computer from waking it up. Is this useful or a waste of time?

3. I also use a simple log-on password. This can be cracked simply with eg, Ophcrack. What protection would be possible with eg, 8 or 10 mixed characters? Is the extra time taken by a thief to crack the password worth the extra time each logon.

4, For all other (200+) passwords I use Password Safe with a master password of around 10 mixed characters, Is this sufficient do you think? Is there much difference between Password Safe, Roboform and KeyPass? Hopefully none are susceptible to brute force attacks. I guess all are approx equally secure, as long you don’t have datalogging malware on your system. Within Password Safe, I have two classes of password – the very simple for programs/blogs I don’t care about and no-one would want to hack, and moderate strength passwords – often 8-10 letters/numbers.

5. Anything which would be useful to a thief, I put into a Truecrypt folder. This also should be secure apart from the keystroke recording malware risk.

This level of protection is pretty simple, and by no means conforms to the recommendations of most net commentators in relation to strong passwords. Do loungers have some thoughts on this and the 4 or 5 questions? Advice appreciated.

Reply | Quote

Replies

It appears that you’ve taken quite a few precautions. If you have reasonably good security software, a decent hardware firewall, and take care of what you do online you are probably fine. You must remember that all bets are off if you lose physical control of the PC. With the power of modern PCs if you lose physical control of your PC all you’ve done is delay someone with bad intentions.

Joe

--Joe

Reply | Quote

Thanks JoeP. There is always a risk with a traveling notebook that you will lose it. That is the point of question 1. Can a determined attacker get through a boot password? How?

I don’t think ophcrack can get the boot password, since the boot password has to be entered before the computer enters the bios. But maybe there are other ways. ie, removing the CMOS battery or flashing the bios. How easy are those with modern notebooks?

I expect in 99% of cases, the thief would just reformat the hard drive and sell the computer. Hopefully great effort would not be worthwhile to crack the various levels of password for the uncertain potential of finding something useful.

Reply | Quote

Any password method can be broken given enough time and incentive. Encryption of important data is most likely your best protection. Once again, if you lose physical control of the PC you have lost the battle. You must assume the PC will be hacked. With the various levels of protection you’ve employed you may have made it difficult enough that a thief would give up.

If it were me and I was really concerned about theft of the PC, then I’d opt for more secure boot and logon passwords and put up with the aggravation at login time.

Joe

--Joe

Reply | Quote

I guess that is really the issue – I don’t see that complex passwords give you much more security than short. The boot password is blown by a bios flash, and the logon with ophcrack. Whether the passwords are 6 or 60 characters long, both are blown out of the water by these techniques. If your attacker is using a keystroke logger, password length is also no barrier.

If I am right on this, why do almost all commentators recommend horrendously long and complex passwords?.

Reply | Quote

I guess that is really the issue – I don’t see that complex passwords give you much more security than short. The boot password is blown by a bios flash, and the logon with ophcrack. Whether the passwords are 6 or 60 characters long, both are blown out of the water by these techniques. If your attacker is using a keystroke logger, password length is also no barrier.

If I am right on this, why do almost all commentators recommend horrendously long and complex passwords?.

I think it is because most users will not investigate enough to know that there are sophisticated, easily available methods for cracking passwords. These users will just assume that longer must be better because for most longer will be harder to remember.

Joe

--Joe

Reply | Quote

If I am right on this, why do almost all commentators recommend horrendously long and complex passwords?

Because most users do not differentiate between on and off line. On-line passwords should always be strong, off-line ones are only as good as your physical security.

cheers, Paul

Reply | Quote