Best password: Complexity or length?

* Patches from Debian, Gentoo, Mandriva, others * Beware latest Rbot and Sdbot variants

There was an interesting post to the BugTraq mailing list this week by InfoWorld columnist Roger Grimes. He's challenging people to break his NT password hash that is 10 characters long. The winner gets $100.

His premise is that a long password is better than a shorter one made up of random characters. The post can be found here.

Grimes' Infoworld column on the subject is here.

So what's better? Complexity or length or both? Drop me a line to and I'll publish the unofficial survey results in an upcoming newsletter.

Today's bug patches and security alerts:

Trustix releases new multi update

The latest update pack from Trustix repairs flaws in GnuPG, the kernel and Samba. The flaws could be exploited in denial-of-service attacks against an affected machine.


New updates from Mandriva:

kernel (race condition)

webmin (read files)

libtunepimp (multiple flaws)

gimp (buffer overflow)

wireshark (multiple flaws)

freetype2 (buffer overflow)

kdelibs (denial of service)


New updates from Gentoo:

libpng (buffer overflow)

xine-lib (buffer overflow)


New patches for Debian:

hashcash (buffer overflow)

GnuPG2 (denial of service)

Mozilla (multiple flaws)

hiki (denial of service)


Today's roundup of virus alerts:

W32/Rbot-ETT -- A new Rbot variant that spreads through network shares by exploiting known Windows flaws and weak passwords. It drops "msconfigs.exe" in the System folder and allows backdoor access through IRC. (Sophos)

Troj/Hyder-A -- This Trojan creates a hidden local admin account on the infected host and can communicate with remote sites via HTTP. It drops a randomly-named EXE file in the <Common Files>\System\ folder. (Sophos)

Troj/QQRob-RP -- An information stealing Trojan that can communicate with remote sites to share its bounty. It drops "NTdHcP.exe" in the Windows System folder. (Sophos)

Troj/QQRob-QX -- A second similar QQRob variant that also drops "Deleteme.bat" in the Windows folder. (Sophos)

W32/VB-CAI -- A virus that spreads through peer-to-peer file sharing networks. It initially drops "" in the Windows folder. No word on any permanent damage caused. (Sophos)

Troj/SrchSpy-C -- A virus that seems to monitor Internet browsing habits and can change search queries. It installs "IEFilter.dll" and "Service.exe" in the System folder. (Sophos)

W32/Sdbot-CCR -- A new Sdbot variant that drops "Mscfg.exe" in the Windows folder and allows backdoor access through IRC. It spreads through network shares by exploiting known Windows flaws. (Sophos)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)