windows xp

Martin,

Best way to do it is to think of a phrase you can easily remember and derive a password from the initial letters of that prase. Then, ideally, think of some numbers that you can substitute for the letters -- e.g. 5 for s, 0 for o, 3 for E, etc.

So, for example, I used to use a password derived from a favourite Half Man Half Bicsuit song lyric:

"Keeping my feet above the mulch of the barton with song"

= kmfatmotbws

Which is probably secure enough fot most purposes, buy you can add a number ofr letter substitution if needed:

swap m for 3:

= k3fat30tbw5

Then I write down a passowrd hint of "HMHB Tess quote with 3 for m".

Which should give you an idea about how to create a very secure, complicated hard to guess but (relatively) easy to remember password.

Matthew

quote:

---

Originally posted by Cliff Patterson:
Ken,

beware of amateur advice.

---

Errr...I get the impression from Matthew's posts that he is an IT professional as well....unless I am wrong?

quote:

---

Originally posted by Matthew Robinson:
So, for example, I used to use a password derived from a favourite Half Man Half Bicsuit song lyric:

"Keeping my feet above the mulch of the barton with song"

= kmfatmotbws

---

Matthew - we may not always see eye-to-eye, but I use an almost identical system for most of my passwords! Usually the first few song titles from 1 side of an album, followed by the 2 digit year of release

None have hacked my passwords yet, but you must keep schtung about what albums you're into!

__________________________
Don't wanna be cremated or buried in a grave
Just dump me in a plastic bag and leave me on the pavement
A tribute to your modern world, your great society
I'm just another victim of your highrise fantasy!

Yes thanks Dom (and Matthew) - some great ideas there!

BTW Dom - I believe you will find the word is 'schtum'.

Regards,

JonR (Jewish bloke and a bit pedantic with it, sorry )

quote:

---

Not all IT Professionals
are experts in MS operating systems.

---

Cliff, I'd go much further. Not all IT Professionals are experts full stop. There are plenty of people who have either been around pre-IBM PC; come out of the forces and so on who know the basics very well but avoid the intricacies. Equally, there are, as has been observed many times elsewhere, plenty of people in their 20s and later with "paper" MCSEs. Know it but can't actually do it.

Mathew,

I love how when challenged you just ignore it and go off at a tangent. Just, for once, explain specifically to us all why F&PS is not an issue and why that SANS article and MS are wrong. Go on, you know you want to.

quote:

---

"if you don't need it then turn it off. The issue of passwords etc. then simply doesn't arise"

That is just plain wrong. Weak passwords = vulnerable systems PERIOD.

---

In the context of the system discussed at the start of this thread - absolutely not. One laptop, by itself and with clear user behaviour issues that need addressing.

quote:

---

"I know administrators in LAs that still use "abc123" and so on"

So they *definitely* have very vulnerable systems and this does not change if they switch F&PS off.

---

They do indeed have vulnerable systems but that also illustrates that passwords are not necessarily a solution. User training should be at least as high a priority. Thus Phil's advice about user behaviour is probably the most relevant on this thread. Interestingly, outside auditors with 30 years experience looked at the network in question and identified weak passwords as an issue but the enablement of F&PS on hosts that did neither was graded two levels higher as a security risk and requiring of an immediate network reconfiguration. Still, you always know better.

Your advice on passwords is excellent but I wonder if it goes far enough. The methodology you describe is well known in IT and other circles and generally very sound but there needs to be more emphasis on the fact that substituting numbers for letters in itself doesn't provide a secure password. Any logic basis for devising passwords is potentially vulnerable. Actually, it's probably better to say that, on a network, any attempt to leave password creation solely to users without adequate policies, introduces significant potential vulnerabilities.

Ideally, I like to memorise mine but I have a friend who has been able to show me how to hack all of my passwords. The one that took longest to hack using various software was the one that had no connection to me personally; was randomly generated and took me about three days to memorise. That was a pain but it's been worth it.

Mike

Cliff said "XP Firewall with SP2 gives you the option to unblock applications that are trying to go out through the firewall"

Windows Firewall's Exceptions tab allows you to apply exceptions to the list of programs/services for which "Windows Firewall is blocking incoming network connections". If it does allow egress blocking it's being very coy about it.

From ZDNet's review of SP2:

Microsoft firewall protects only against inbound threats, not outbound threats, such as keystroke-logging Trojans that report your passwords and credit card info to others. Also, the lack of outbound protection means your infected PC could still participate in distributed denial-of-service attacks. In short, I recommend keeping your third-party firewall enabled alongside Microsoft's. Two firewalls are better than one

From Zone Alarm's Windows XP SP2 FAQ:

9. What are the differences between the free ZoneAlarm firewall and Windows Firewall?

Windows Firewall will only provide inbound protection, preventing hackers from infiltrating your PC. The free ZoneAlarm firewall provides more robust protection, securing outbound and inbound communication."

"What you say about Norton Antivirus is also misguided IMHO"

I gave up on it after endless problems. Not problems with Virus but problems with it causing various thigns not to work, it's update process continually breaking and requiring a re-install, it slowing down my PC, them having the world's worst support website that makes it near impossible to re-download the software paid for, etc. My impression from reading the experiences of others is that this is not an uncommon experience of Norton.

Since switching to McAfee, I have had zero problems.

"there is nothing majorly wrong with Norton, and it (2004 edition) explicitly works with SP2 too"

SP2 broke my Norton install and that was the point at which I switched to McAfee.

"Not all IT Professionals are experts in MS operating systems"

FWIW I have been programming DOS and Windows based PCs since the mid-80s. I am far from a security or IT support expert.

"The best way to let people into your computers is to publish your password methodolgies on an internet forum"

Actually the best way to secure your PC is to publish your security arrangements including password strategies. "Security by Obscurity" is often one of biggest flaws at the heart of most people's understanding of security (not least Microsoft's).

So, for exmaple, we can look at Dom's published system and say that his method of forming passwords is reasonably secure. However, his method of deriving base pass phrases on which to base his passwords is arguably too narrow and is certainly open to social engineering attacks ("Hey Dom, what's your favourite album?", etc.). For the most secure passwords, such as oinline bnking, Dom may like to consider widening his source of pass phrases.

Matthew

"I love how when challenged you just ignore it and go off at a tangent"

I considered a USENET style detailed reply to your last post but would have been repeating myself and ran the risk of the main point being obfusticated. So I just opted for what I thought was a plain statement of the flaw in your logic. To wit, F&PS is not a security flaw, per se, but weak passwords defeinitely are.

"Just, for once, explain specifically to us all why F&PS is not an issue"

I already have. But to repeat, F&PS sharing is perfectly safe and secure (the existance of currently unknown exploits notwithstanding). It only becomes non-secure when combined with other factors including weak passwords on high privilege accounts.

Further, why restrict yourself to F&PS? What about other services that are enabled by default in Windows even post SP2? What about remote desktop? What about the portmap daemon on port 135? What about the SMB service on 445?

"One laptop, by itself and with clear user behaviour issues that need addressing"

I really am repeating myself, but I will try once more:

If you connect that laptop to a public netork and have a strong password it is secure (All other things being equal).

If you connect that laptop to a public network and have a weak password it is not secure.

Neither of these statements change if you switch F&PS sharing on or off. Consequently, just telling people to switch it off makes no systems more or less secure, beyond the forcing a would be hacker to try the second thing they think of after the first thing failed to grant access.

"They do indeed have vulnerable systems but that also illustrates that passwords are not necessarily a solution"

Lesson #1, the single most important thing you can do in computer security is use a strong password. And, in the case of F&PS, strong passwords most definitely are a solution.

The real issue with F&PS is that it is symptomatic of the large amounts of poor advice that surrounds security and is repeatedly held up as an example of an insecure feature. Security "experts" regularly talk about it without even mentioning the real (and much more serious issue) which is weak passwords.

So whilst it is good practice to switch off services you do not need, whenever I see someone touting F&PS as a major security hole without mentioning the issue of password a big red flag pops up. Most of this guff stems from self-styled security expert Steve "Nanoprobes" Gibson and his iditioitc website and "Shields Up!" software.

Matthew

Aw, thanks Cliff. You took the words right outta my mouth. What a sweetie.

Go on then Mathew. Over to you.

Hey, Mathew's a programmer. That explains soooo much

Love and kisses,

Mike.

Hi Cliff,

I think maybe you have an IT manager's view of the worlds in that you are misconstruing some half-remembered advice a programmer once gave you in a long and no doubt rather pointless meeeting

"insisted on closing down all services that were not needed for production"

That is quite correct and good security practice. However, that is different advice from just saying "Switch off F&PS" which, as I noted earlier, has become standard piece of misleading advice that people who half understand the issues like to repeat parrot fashion.

"Their main concern with F&PS was not security per se, but confidentiality"

If you don't have strong passwords and you have externally accessable network shares your entire machine and possibly much of your network is compromised and concerns about confidentiality are firmly in the category of fiddling while Rome burns.

"It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"

I am a bit busy right now (worrying about security issues as it happens) but suffice it to say that on the basis of this comment you plainly do not understand this issue at all.

"This is not the same as a proper server log in where you have a user and a password and a limited number of invalid log in attempts before disabling either the user or the workstation/pc/device itself"

Windows does have a "proper server log" which will show up brute force/dictionary attacks very obviously. It also has support for various aspects of password policy.

Mike said "Aw, thanks Cliff. You took the words right outta my mouth"

Do you include in that Cliff's obvious errors and misundersntadings?

Patrick -- Please explain how disabling F&PS stops people telling other people their password?

Matthew

Patrick -- The point is that if you have people telling other people their passwords anything to do with F&PS is completely irrelevent. So I struggle to understand the point you were trying to make with your previous post.

Cliff -- So basically your point was about confidentiality rather than security.

Matthew

Patrick -- But in this case the security issues relating to F&PS *are* caused by duff passwords.

Cliff -- I am sorry you think that way. I try to add my knowledge and experience in areas in which I have some expertise. That's all.

My final word on the matter is this: If you get some security advice and it tells you to disable File & Printer Sharing as it's inherntly secure and yet doesn't mention secure passwords, then I would strongly recommend that you treat the rest of that advice with extreme scepticism and preferably get some better advice from someone else. In my experience F&PS related mythologising and hysteria has a near 100% correlation with poor advice from people who half understand the problems.

Matthew

quote:

---

Exactemundo

---

Who would have guessed that "Cliff Patterson" is the nom de plume of Henry Winkler, aka "The Fonz"?

I wonder how many other celebrities walk among us...

Joe

Joe,

It was suggested to me recently, by our mutual friend in fact, that Steven Toy is actualy Gareth from The Office.



Although I don't suppose that means much to you.

Matthew

Cliff,

You'll find *lots* of general articles about the security hysteria we have been discussing here.

For specific details of the facts with regard to File and Printer Sharing, try this.

"Even if you use good passwords on a system which doesn't disable profiles when multiple wrong attempts are made, it isn't secure"

That's just not true. Strong passwords provide more than adequate protection against dictionary and brute force attacks and are provide good protection in all but the most secure applications. Even with today's processing power and bandwidth it would take a typical attack weeks to succeed.

Although password policies like lockout (which are a good idea btw) would remove the relatively small theoretical risk of successful brute force attack against strong passwords, they are mainly designed to protect *weak* passwords not strong passwords. A strong password will defeat the sort of dictionary attack that the overwhleming majority of NETBIOS based attacks use even without a lockout policy.

Aditionally, NETBIOS does allow you to set a strong ScopeID which makes all the shares invisible to non-authorised machines. When combined with strong passwords this makes F&PS more than adequately secure IMHO. I accept that if you have the CIA after you you might want to reconsider.

And, finally, if you are to allow that brute force attacks can always be broken given enought time, then your notion of "secure and confidential storage" is also flawed as I can just sit around until I successfully guess the two large prime numbers your cryptography software picked.

Like I said before, I am far from an expert, but you clearly don't know what you are talking about on this subject at all.

"Or do you keep your valuable program code on your C: drive with a share to allow you to read it from your other laptop - come on, you have to be joking"

All my PCs at work and home have valuable (at least to me) information on file shares. I am confident the security arrangements are more than strong enough.

Matthew

My latest PC is 3 weeks old with XP Pro. I put SP2 on it a couple of days ago and, man, does it slow everything down or what!
I guess that every document is being scanned before opening, but it seems to take forever!! Yes, I do have Norton Internet Security 2004 on there.

Lots of people have reported performance problems with Norton's AV software. It's a much more likely culprit than SP2 which should not affect performance appreciably.

Matthew

"to descend into personal attacks"

I said that, on the basis of your comments, you don't know what you are talking about. That's not a personal attack if was my impression gained from your statements.

To wit, you said "It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"

Which is flat wrong and shows a basic misunderstanding of fundamental securtity issues. Saying actually it's insecure becuase your network might have been physically breached and is vulnerable to packet sniffing does not change this.

"I've noticed a tendency for you, specifically Matthew to rubbish everything I post"

Oh for God's sake grow up.

Matthew

PS "having implemented secure banking systems involving the processing of billions of pounds worth of payments over the past 22 years"

FWIW, since 1989, so have I.

Cliff,

I have provided plenty of information and links about F&PS. It's all there for you to read.

Essentially my point was:

-- When used correctly and in appropriate applications it's a perfectly safe feature and very useful. I use it all the time at work and at home and and don't beleive it poses any sort of realistic risk.

-- It's my experience that simplisitic, blanket instructions to disable it are at best incomplete and often hysterial and a strong indicator that the advice you are being given is of poor quality.

"Furthermore your attack on Norton is completely incomprehesible"

I had numerous problems with my legitmate, paid for copy of Norton AV Professional 2004 and so stopped using it. Lots of other people have as well.

"Interestingly you never addressed my point at all about not using freeware AV software becuse of the spyware and adware problems you are likely to get"

I have never used any of the freeware AV products. I have not heard any complaints about spyware in AVG (the one most people use).

BTW If you wish to start listing points that were "never addressed", how about the following false or misleading statements you have made:

"XP Firewall with SP2 gives you the option to unblock applications that are trying to go out through the firewall"

"The best way to let people into your computers is to publish your password methodolgies on an internet forum"

"It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"

(Incidentally, the first of these is particualrly galling as you entered a thread to, AFAICT, incorrectly point out that I was wrong and then went on to complain that I all I ever did was point out how you were wrong).

These statements, which I beleive to be false and/or misleading, led me to question your competance to be giving advice on security. This you interpreted as a personal attack. I believe it to be a reasonable statement based on your comments.

At the same time you have said:

"Mind you with 4000 more posts than me to this forum he must be a wizz with MS Internet Explorer"

"The Matthew Robinson view of the world is this

I do this to stop that, and what ever the conversation is about, I'll ignore it and preach what I know about this and how it is cured by that.

In the "real world" users are total idiots, so giving them an operating system with a lot of choices gives them n million ways to f-up and they'll use all of them

Give them a binary choice and we hope that 50% of them won't f-up."

"PS expecting matthew to add another 4000 posts to finish this one off"

"receive the same sort of twaddle from your good self"

"Matthew you should really try to use some intellectual rigour when you make posts"

"Heres to another 4000 posts from Matthew"

All of which I would argue are personal attacks or slurs on me (not that I am terribly bothered you understand, but you did bring it up).

Finally, you complained about "pissing matches" and then promptly started one:

"I would like to question your assertion about implementing secure payment systems in banks - name one example system that you have implemented in the past two years for example"

I worked on retail and corporate online banking systems from 1989 to 1997 including systems for Barlcays, Rabobank, ABN Amro, ANZ, TSB, Midland (as was), Arab National Bank, Bank of Scotland, Royal Bank of Scotland, Nationwide, and others. The software I worked on allowed secure payments from multiple end-user devices (Telephones, Videotex Terminals, DOS PCs, Windows PCs, ATMs, etc) directly into the banks mainframes. I dealt with many aspects of security including smart cards, secure messaging, public key cryptography, etc.

Since 97 I have worked on BPM/FI products mostly in the area of finanical consolidation, statutory reporting for FTSE 100 and Fortune 500 companies, and Capital Adequacy Compliance for investment banks and other securities dealers. All of these have high security requirements and it's a subject I deal with security in my professional life on a regular basis and have steered several of our products through 3rd party security audits.

Matthew

I had Norton shut down by a virus on my new pc with some major problems afterwards. This was about a week after buying the new pc and Norton... I now use avg free edition since 3 months and haven't had any problems.

Cliff,

*sigh*.

"Your google/norton link generates 67000 references. "AVG problems" generates 555000 references"

You said my "attack on Norton is completely incomprehesible" so I explained what I meant: that I have had problems and stopped using it, and that other people have also had problems. Surely this is quite straightforward? Or does it remain incomprehensible?

You also asked that I address your suggestion that free AV software is full of malware. I said I had no experience of such software and no knowledge of the most commonly used piece of AV freeware containing spyware.

"the cheapest price is $33.30 so I would hardly call that "free"

AVG Free Edition

"here is an example of a website where a specific note on ublocking programs trying to access the internet is mentioned"

Add to my previous quotes from ZDNet and Zone Alarm's FAQ, three more:

"And, as we noted earlier, the firewall, though now enabled by default, is inadequate due to its lack of egress filtering, which is crucial on Windows"

From The Register

"It doesn't appear that Windows Firewall supports egress filtering, which prevents software from making an outbound connection. This is useful for catching badware trying to "phone home". The commercial personal firewalls (such as Zone Alarm) will still have an edge here if this is the case"

From http://www.unixwiz.net/techtips/xp-sp2.html

XP SP2 WF BUGS:
[...]
* outbound/outgoing (egress) packet filtering is NOT available!

From http://www.mdgx.com/xp2.htm

So, like I said, if it is blocking outbound traffic, it's being very coy about it and decieving a lot of people who know far more about security than you or I.

(Incidentally, rather ironically, it has been suggested that XP2's firewall lacks egress filtering as the inclusion of a free full featured 2-way statefull firewall in XP SP2 would have opened it to more anti-trust suits from the likes of ZA).

"So since 97 (ie the last 7 years) you have been writing report programs to allow compliance departments to report to the FSA?"

No. Since 1989 I have worked on a number of systems with serious and complex security issues.
I have not worked in banking software since 1997.

"the first (2nd on your list) was obviously a joke (I mean why on earth would anyone tell the world how the create their passwords"

Because in telling the world how you create your passwords, you are opening the process to scuritiny and validation and it is a fundamental principle of good computer security that you should publish and audit such aspects of your security arrangements.

If your security relies on keeping such things secret your security is almost certainly wrong. Any basic undergraduate computer security course will drum this point into you over and over again.

Consequently, your statement "The best way to let people into your computers is to publish your password methodolgies on an internet forum" is wrong and demonstrates misunderstanding of fundamental security concepts.

"And the third one I guess depends on the programmer"

the "third one" being:

"It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"

This demonstrates your fundmental misunderstanding of strong passwords and F&PS vulnerabilities and dictionary and brute force attacks. Indeed, the WHOLOE POINT about strong passwords is that the above is not true. I have no idea how this might "depend on the programmer".

Finally, I note that despite having raised the issue of ad hominem attacks, you have not apologised or explained the numerous such comments you have made about me.

Matthew

[This message was edited by Matthew Robinson on Sat 25 September 2004 at 18:57.]

quote:

---

"It doesn't matter what password methodology you put on F&PS because a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"

---

seriously Cliff, do you really believe this? It would take something like 100 years to hack a strong password of only 8 characters with a 'simple looping program'. Increase that to just 9 characters and you're well into the thousands of years.

Cliff,

"Opening up your password methodology to scrutiny is not what you have done. You have put it on the internet. All the worlds hackers now have a better chance of breaking into your PC than they did before"

You are still completely misunderstanding the point. Which is, that any good password selection methodology is only any good if you can show it directly to a potential attacker and it still be secure against all likely attacks.

Or to put it another way, if you have a password methodology that cannot be put on the internet as doing so would compromise it's security then you do not have a good way of generating strong passwords.

Like I say this argument is *absolutely fundamental* to lots of ideas about security. Your original comment and subsequent follow ups make it seem very likely that you do not understand this properly.

You are also ignoring the fact that the advice I gave about deriving passwords from known passphrases to create an easy to remember but difficult to guess password is essentially standard advice that is published all over the place. The fact that hackers know that that people use this method does not help them guess passwords.

"Perhaps you can explain in detail how you stop a good hacker accessing data on a windows 98 pc file share?"

1. Do not bind F&PS to a TCP/IP adapter used to directly connect to the internet.

2. Set a strong NETBIOS ScopeID.

3. Define strong passwords for all user accounts.

Also what is this cobblers: "This demonstrates your fundmental misunderstanding of strong passwords "

Ok lets break your original statement down:

"It doesn't matter what password methodology you put on F&PS"

This implies that regardless of password methodologies F&PS will be insecure to simple attacks. This is not true if you choose a strong password.

"a programmer can easily hack a password only protected share with a simple looping program going through all possible combinations"

This strongly suggests that you do not understand that a "strong password" is only strong if it is specfically not vulnerable to such an attack.

And, as John has pointed out, that you don't understand the timescales involed in "going through all possible combinations".

"Yes w3sth8m is going to take longer to hack than "abc123"

w3sth8m is not a strong password (it's a sports team with some common numerical subsitutions) and would be highly vulnerable to basic dictionary attacks. It's not appreciably more secure than "abc123".

All in all your statements show strong evidence of someone who does not understand the fundmental concepts surrounding password security.

"... so even they don't like netbios"

They recommend stopping WINS because it's good practice to stop services you don't actually need, not becuase it's neccessarily not secure.

"Also in Matthew's case he has given us some clues as to what kind of password he uses"

I described one commonly used methodology for deriving passwords that provide you with zero information about my actual passwords. (I note I did this to help someone improve their security -- and they you claimed it had exactly the opposite effect).

"easy to write the program to find the sort of data in the datastream"

The nature of strong passwords is that you cannot find them in datastreams.

"You will also note that Matthew kindly posts his entire record collection on the internet, which makes the job even easier"

So you are suggesting that a hacker would note down the contents of my record collection, somehow acquire all the lyrics, break the lyrics up into discrete phrases, take the first letter of each phrase, for each phrase generate a few thousand variants based on standard substitutions, compile this into a list and loop through it?

I can only wish them luck and assure them that the contents of my hard driver really aren't that exciting.

"This means that most programs will not be allowed to accept unsolicited communications from the Internet unless you choose to list those programs as exceptions"

In other words, that SP2's firewall does not provide egress filtering and the exceptions tab refers to exceptions for "incoming network connections".

Which strongly supports my argument and flatly contradicts yours?

"Let me apologize if I have caused offence. May I suggest that we call a truce on name calling"

Apology accepted. And I am all for an end to name calling even though I might point out, for the record, that I didn't actually call you any names.

Matthew

quote:

---

Happy to hear the justification for the estimate. 36^8 (2.8 * 10^12) doesn't sound like a hundred years to me (100 years is 3 * 10^11 seconds, so his estimate is that you can only do 10 a second?) I think a hacker would be quicker and brighter than this.

---

For starters, 100 years = 60 seconds * 60 minutes * 24 hours * 365 days (and a bit) * 100 = 3153600000 = 3*10^9, so you're out by a factor of 100.
As for the combinations being 36 ^ 8, all I can say is "oh dear" (to put it mildly). Not heard of case sensitive passwords? That's 52 letters. Add numbers that's 62, add stuff like: £$%^&*()_+{}][~@ and that's at least 80 on an English keyboard. So 80 ^ 8 = 1677721600000000 = ~1.67 * 10 ^ 15 which is allowing for way more combinations per second than is probably possible at the moment on any computer. In fact my initial estimate of 100 years is probably out by a factor of 10 at least.

"Strong or weak passwords are not an exclusive feature of F&PS..."

This is true but essentially a non sequitor...

"F&PS is not advised by auditors primarily for the reasons I have already given. Namely the lack of confidentiality"

... which you use to change the subject and avoid the point.

"You're labouring a point about passwords"

I am saying that you have made a number of basic errors and misunstandings about *fundamental* aspects of security and that on this basis I reckon you are not comptetant to be giving out security advice to people on internet forums.

Clearly you know _something_ about security and computers but my overwhelming impression is that it's all half-understood and/or half-remmebered and your advice, at least on this thread, has been confused, confusing, incomplete, misleading and inaccurate. Repeatedly.

"Your own method of using the first letters of a string of text is no more difficult to interpret"

I note that:

a) It is not my method at all but, by common well publicised consensus, essentially the best way to do it.

b) It's untrue to say that strong passwords are not more difficult to interpret as they inherently have no meaning.

"You would have West Ham United Football Club Are Great (whufcag with the a changed to a 1 or something) rather than Westham I suppose"

You are implying some Mystic Meg like powers on the part of potential hackers that allows them to divine an essentially arbitary pass phrase. You don't seem to understand the exponential difference in combinatorial terms between dictionary words and proper names and pass phrases.

"Yes, and also don't bind to the wireless adapter neither"

I have F&PS sharing bound to my wireless network and it's perfectly safe. Possibly you mean "Don't bind it to non-secured wireless network" but even then, if you have a non-secured wireless network then frankly F&PS is the least of your worries.

"Not sure what you really gain by this - perhaps you can expand this a bit."

To see NETBIOS shares at all you need to be in the same scope which is definied by ScopeID. If you set this as you would a strong password you have another level of security before we even get to password guessing.

"Perhaps I was being a bit glib"

No you were 'being a lot wrong'.

"it would require a reasonable hacker to get in"

You are again confused. Faced with a strong password, a "reaonable hacker" does not go "I is l33t h@kk3r", wave a magic wand and using special, but unspecified, elite hacker skills decode said password.

"password only security is not as strong as user and password security"

Again that's not really correct and betrays your lack of understanding. In practice usernames are not secret and are both widely known (e.g. "Administrator", "root") and often predictable (e.g. "mrobinson"). Hence the username provides a trivial amount of extra security and even in user/password logins 99.9% of the security resides in the password itself.

"I think a hacker would be quicker and brighter than this"

Again this is ill-informed mythologising about hacker skills and shows a lack of understnading about how it all actually works. When the situation arises, hackers typically attempt to break passwords using standard dictionary attacks and variants thereof. Brute force attacks are virtually never tried becuase if you can't break it with some heuristic method you will almost certainly faced with an average time to crack the system of months if not years.

"You haven't addressed all of them, just three."

In a three page thread on a subject where you claim to have high levels of expertise basd on 22 years of hard won experience you have made what I consider to be at least three glaring errors.

Don't you think that's enough for us to be at least a little questioning of your experitse generally?

"I only pointed out that if you post your methodology on the internet, it in effect gives the hackers a smaller scope for how to program their attack"

And again you explicitly repeat your fundamental misunderstanding of the points we have been arguing about.

How does in any remotely practical sense the fact that I once used a song lyirc as a passphrase allow a heuristically directed guess at a password like "k3fat30tbw5"?

"The protocol contains a header, of sorts, which says, the following is my password. Other protocols (SNA for example) encrypt the data."

If your network is compromised to the extent that people can packet sniff on your side of the network you are basically stuffed so issues of password strength and the like are largely irrelevent. They are probably not going to bother hacking your file shares...

"You stated that XP had no protection against programs calling the internet"

Which is true, AFAICT. And waht I actually stated was that, based on a number of reliable, authorative sources and my own experience, SP2's firewall "only does inbound filtering not outbound filtering".

"In fact it does, explicitly block certain traffic, with an exception list to allow certain programs out and data/calls back in"

Not according to all the quotes I gave *AND THE QUOTE YOU* gave which explicitly states that the firewall exceptions tab (the bit you were claiming as evidence of egress packet filtering) offers expcetion for restrions on ingress filtering. As YOUR QUOTE puts it "the exceptions list [can allow programs to] accept unsolicited communications from the Internet".

Matthew

................ I'm off to buy shares in Apple.....