Re: Suggested "safe" password length

["Patrick M Darienzo Jr" <pdarienzo () keyspanenergy com>]

I recently had a similar question about optimal password length from one
of our relatively non-technical clients, who was told that it was better
to use a 7 character password over one of eight. Here was our "plain
English" response:

    For starters, a strong six character password is definitely better
than a weak one of eight or nine.
    Next, everyone understands that a password with a length of, say, 2
is easier to break than one of 7. If I told you that there was a high
likelihood that it consisted of only special characters, it would take
even less time to crack.
    Since an NT password is padded out to 14 characters and then broken
into two 7-byte separate passwords, a 9-character password essentially
becomes a 7-length password and a 2-length password.
    As password length increases, people tend to add the special
characters at the end of the word (as in "ImaL3X!@2"). The result is
that there is an increased likelihood that the final two characters
("@2" in this example) are special characters. If this was the extent of
the password, it would be completely ineffectual. The extra two
characters, in this case, are essentially irrelevent to the strength of
the password. For all intents and purposes, it is as effective as a
7-character password.
    The misconception is that decrypting the final two characters will
aid a cracker in determining the first seven. Because of the hashing
algorithm used to store NT passwords, there is no technical advantage to
be gained from knowing the final two characters. The only way this might
happen is if the cracker has set up a dictionary attack that looks for a
recognized pattern. For example, if the 8-9 positions are "HI", the
cracker might leap to try "ABCDEFG" as the first 7, or if mine was "ZO",
he might try "PDARIEN" as a guess.
    Also, most password cracking tools are familiar with the common
tricks of reversing words, letter substitution (using a "5" for an "S"
or a "0" for an "O"), and keyboard sequencing ("qwertyuio"), so they do
not make it any more difficult for a determined cracker.
    No one denies that the eighth character may be easily decrypted.
However, a password with a length of 8 will be at least as hard to crack
as one of 7 (again, provided the eighth character doesn't covertly
convey any indication of a pattern).
    And likewise, a strong 8 character password is still better than a
strong one of  7.
    And finally, the hashing algorithm, the password storage procedure
and the manner in which Windows handles upper and lower case have all
been improved in Windows 2000.
    For generally secure passwords, our recommendations were that the
clients use the full eight characters, embedding non-alphabetics, using
both upper and lower case (which I believe, was ignored in the old NT
hashing ), and avoid having any part of the password be a word found in
a dictionary..
.    Bottom line: Any password, no matter the length, is only as strong
as the logic used in constructing it:

Pat Darienzo, CISSP
Keyspan



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------