How can I have a secure domain login without a complex password?

I have recently gone on a security binge, using a password manager to ensure I have different complex passwords on every service I use. However, there's one hole in this system: the domain login. I cannot start the password manager without first logging into the operating system. Because my domain password is committed to memory, it is significantly less complex than any other password I have.

I do not want to rely on a fingerprint scanner due to dermatitis.

What options can Windows 7 and 8 support to securely log in to a domain account?

Hand-E-Food

Posted 2014-05-04T22:29:07.597

Reputation: 4 711

Take a look at this xkcd comics. It might be helpful.

– VL-80 – 2014-05-05T02:18:42.380

Answers

A fingerprint scan must NEVER be considered as a replacement for a password. It can be used as an additional factor but must never be used on its own since it cannot ever be changed.

The best but simplest arrangement is to create a pattern that you can remember. One that allows changing over time but still remains memorable to you.

In truth, it isnt that hard to memorise a pattern of letters, numbers and symbols and there are many patterns you can use. It is the pattern itself that makes it memorable. This is true of words as well but we are conditioned to recognise meaningful words of course.

So a pattern such as:

mhall~ouat<14?05

"Mary Had a Little Lamb~Once Upon A Time<2014?May" - get it?

You can simply play with some of the symbols or simply the numbers. You might not want to use something quite as obvious as the base though if you are really paranoid because a really good rainbow table might be able to pick that up.

That example is 15 characters with both alpha, numeric and symbols. It could slightly be improved with a capital or two though in reality it is the possibility of upper/lower/numeric/symbol that is more important that their actual use in every password.

Such a password will be very strong indeed even against current threats. The biggest remaining threat is shoulder surfing or one of the more esoteric threads such as sound analysis (of your typing).

You can go further if you want through the use of additional factors such as a YubiKey or smart card but really you should use these as ADDITIONAL factors not a straight replacement. If you want to maintain maximum security that is.

Personally, I also use tools to remember most passwords and I favour a truly random, generated Windows password. None-the-less, it is only a single password and therefore not that hard to remember after a few practice types.

You should also note, however, that if you only rely on a Windows login password, you will still be exposing ALL data if someone gets hold of your PC. For true security, you need a UEFI BIOS, TPM chip, secured BIOS settings and full disk encryption. Only with these will you be able to have a reasonable expectation that attackers cannot get hold of your information if they get hold of the PC.

Next, you should also add additional protection to Windows. Microsoft EMET at least, preferably an application whitelisting tool (such as built in to AVAST AV). Application whitelisting only allows specific applications to run and is almost certainly the best current defence against zero-day attacks. With EMET to harden Windows and a good AV/anti-malware tool such as AVAST along with the other measures outlined, removing all software not needed and keeping up-to-date with patches on the remaining, you will be a safe as it is possible to be right now.

UPDATE: I realised that I haven't fully answered the question given which is about what options are available for logging in to Domains.

There are a great many tools for this and Windows supports a replaceable login capability which used to be called GINA, not sure if it still is. Login with smart cards is natively supported and there are many 3rd party tools to supplement (or replace) standard id/password logins on the domain such as one-time-password generators (such as RSA tokens) and the like. You can also tweak the password requirements for Windows Domains to enforce stronger passwords. I recommend giving out easy guidance in that case, I seem to remember seeing a number of infographics that explain the type of password choice I mention above.

Julian Knight

Posted 2014-05-04T22:29:07.597

Reputation: 13 389

1The GINA system was replaced with a credential provider model in Vista. – Patrick Seymour – 2014-05-04T23:31:26.220

There are a lot of reasons not to use a fingerprint scanner for primary security. Inability to change your fingerprints is on the list, but it is hardly at the top. – Matthew Najmon – 2014-05-05T02:01:12.560

as per xkcd 936 I would prefer ""Mary Had a Little Lamb~Once Upon A Time<2014?May" as my password – PlasmaHH – 2014-05-05T10:06:41.853

@PlasmaHH, I think that Windows AD would probably blow a gasket at the length though I agree with the sentiment. Of course, I wouldn't want to type it in more than once a year! – Julian Knight – 2014-05-05T16:51:52.190

@JulianKnight: I have been using passphrases for lots of things since the 90s and I must say that at least for me it is quicker to type in the wohle sentence than to think about which is the next letter, what case, what 1337tification, and what was special in this particular password requirement schemes. – PlasmaHH – 2014-05-05T17:49:53.570

You've highlighted a problem prevalent in enterprise environments where IT think they know best and set restrictive password rules that actually make things worse not better. It's important to allow people room to use a strategy that works for them not one set by techies (of which I am one of course!) – Julian Knight – 2014-05-05T18:35:12.507

A single memorized password can be as secure as any randomized password stored in a password manager. You need a simple algorithm that transforms an easy to remember word or phrase (that has personal meaning for you) into a complex password. You can safely write down more than enough to recall the phrase and the algorithm without a real fear that someone will pick your pocket and work it out.

Let's say you like Disney. Your phrase may be Uncle Walt. Modify the phrase in novel ways, like swapping the first and last letter of each word, and wrapping each with numbers and punctuation, while capitalizing seemingly arbitrary letters on a pattern (say, second from the end).

Uncle (5 letters) and Walt (4 letters) could become 4encLu$taLw5.

If you were really paranoid or worried about forgetting your own algorithm, you could come up with little note to jot somewhere, like "$45 for a Disney animation cell?", as if you were deliberating over a purchase.

When it's time to change your password, you can keep the personal algorithm and come up with a different phrase and equally "random" note.

denmch

Posted 2014-05-04T22:29:07.597

Reputation: 151

1I really dislike this strategy, because it seems very clever in theory, but in practice there are two major flaws: (1) the ad-hoc encryption scheme you come up with on the spot will likely be very weak and add little entropy (2) the time needed to enter the password has just shot from 3 seconds to 2 minutes, providing more opportunity to shoulder surfers especially if you can't do the encryption in your head and must use a paper. – Superbest – 2014-05-05T03:31:05.477

I have more than 60 passwords that use a system like this and can recall and enter most without reference in seconds. Occasionally, if I haven't used a service in awhile, I'll check my hint list, which has one word per service but no clue as to how the algorithm works. The only concern for the weakness of the scheme depends on a real person recognizing and physically obtaining your hint. If you can't remember your algorithm, you didn't design it well enough. It's not meant to be uncrackable, because nothing is. It's meant to be reasonably secure and easily memorable to you alone. – denmch – 2014-05-05T03:47:19.930

@Superbest, you've made an important point about things seeming to be secure/random when they are not. The only truly strong password is a random one. However, we do need to sometimes compromise in order to deliver workable systems. – Julian Knight – 2014-05-05T16:54:18.763

Get a laptop or keyboard with a smart-card reader, and require smart-card authentication for your domain login.

Because of the release of a number of large plain-text password files, it is now possible to have a very good idea about what what people think are complex-passwords-that-are-easy-to-remember. The result is that complex password generated using simple algorithms like

a password that you can remember and then add lots of characters

a simple algorithm that transforms an easy to remember word or phrase

create a pattern that you can remember

--are no longer complex to generate. There are cracking algorithms that generate those passwords, and anything else you think is clever, learned from the millions of examples of passwords now available.

user165568

Posted 2014-05-04T22:29:07.597

Reputation: 421

Unfortunately, this is not a panacea either. Smartcards rely on a rock solid PKI, something that is notoriously difficult to implement let alone maintain for any period of time. They also tend to be secured with a PIN for access instead of a strong pass phrase, this also weakens them. Of course, they do provide a second factor which helps a lot. – Julian Knight – 2014-05-05T16:56:54.797

We can narrow this question down to - how to create a strong password which is easy to remember.

I will elaborate this xkcd comics.

Your password can include all sort of characters (letters, symbols, Capital letters ) and can use common symbol substitution, etc and be very complex. But it will be hard to memorize.

Or it can consist of 4 - 5 common random words and be very simple for you to memorize. In same time it will actually provide you better security as it is harder to crack longer password.

If database is being brute-forced at decent speed there will be no significant difference between passwords GordanFreeman and g0rDAn&fr33mNa from viewpoint of its cracking if it is decided to go all the way until it cracked.

But there will be difference between passwords g0rDAn&fr33mNa and GordanFreemanIsFightingWallaceBreenInCity17! - I can remember this password easily and in same time it will be much more secure than first password. There are even Capital letters, numbers and symbols in this password - to fully satisfy domain password policy if there is any.

Also, here is another advice - from Stanford university. They issued new password strength policy:

Password rules

Stanford's password rules, based on password length, are:
8-11: mixed case letters, numbers, & symbols
12-15: mixed case letters & numbers
16-19: mixed case letters
20+: no restrictions
It must not be equal to your current password, previous passwords, SUNet ID, or password reset answer.

It must not be a single word that appears in the dictionary (English or non-English)

It must be composed only of characters in the Roman alphabet, numbers, or symbols on the US keyboard. Examples include characters such as # $ % ! @.

Pick an option which you like and you should be safe.

VL-80

Posted 2014-05-04T22:29:07.597

Reputation: 3 867

Unfortunately, this is a somewhat dangerous set of assumptions. Long passcodes are more secure but maybe not that much if the phrase itself can be guessed or is likely to be used commonly by other people. In your example, if the phrase you use is relatively common, it might well be less secure than the random set of characters and symbols that are shorter. That is why password complexity checkers that are just based on length and complexity are false. Only checkers that are backed also with word and phrase lists are in any way useful. – Julian Knight – 2014-05-05T17:00:51.123

For a secure domain password, length of the password is the major factoring in cracking the password.

Steve Gibson talks about password haystacks as way to make long passwords. You can read his page at https://www.grc.com/haystack.htm for details. The basic idea is to pick a password that you can remember and then add lots of easy to remember characters to it. For example, pick you favorite dog, Snoopy and then pick the last two digits (14) of the start of WWI (Snoopy fought the Red Baron in WWI). Then you can have the following password (change the o's to zeros to get numbers):

Sn00py>>>>>>>>>>>>>>

Which, according to the Brute force calculator on Steve's site will take 11.52 thousand trillion centuries to crack, assuming a massive Cracking array that can do 100 trillion guesses per second (That would require 1000's of GPU enabled password crackers). Then you can a simple and easy to remember password that is also hard to crack.

Historical note, Windows domain passwords that are more that 14 characters are stored in more secure fashion that does not allow the password to be decoded in parts, so the whole password has to be decoded in one chunk.

UPDATE: The user wanted a "secure" password that was not complex. If you want a strong password, one that will stand up to the hardcore password crackers, then you have to have a long and complex password. Given the constraint of not complex, the length of the password will be the only thing that provides any security (but it still needs to be more complex than just a repeated character). The use of the >> is to extend the password to the point were a brute force guess is not effective. That is what the numbers from Steve's page indicate. The catch is that if you pick a scheme that is also used by a password cracker, then the strength is much less. Which is why, when you do this for real, you need to pick a base and extenders that can be remembered, but are not likely to be in a a cracker database. If the user wants a password with "real strength", then the "not complex" constraint will have to be dropped.

Your right, Steve does say that it not a password strength meter. What he does say is that adding length to a password makes it much harder to brute force (running patterns is not brute force). The password given above was an example, the end user should change it to level of complexity that is required, while keeping a long (15+ character password).

Walter

Posted 2014-05-04T22:29:07.597

Reputation: 446

Steve's checker is NOT a strength meter as he clearly states. To get a true measure of password strength you also need to apply the same tools as the hackers use. Namely rainbow tables containing common (and no so common) lists of words and phrases - including common letter swaps as you've used above. A decent machine can easily check through millions of combinations. – Julian Knight – 2014-05-09T13:33:30.900