Security Basics mailing list archives
Re: Suggested "safe" password length
From: "Steve" <securityfocus () delahunty com>
Date: Mon, 17 Nov 2003 13:22:13 -0500
According to NIST Special Publication 800-18 "Guide for Developing Security Plans for Information Technology Systems", the recommended minimum number of characters in a password is six to eight characters in a combination of alpha, numeric, or special characters. According to Federal Information Processing Standards Publication 112, Password Usage Password System for Medium Protection Requirements: 1. Length Range: 4-8 2. Composition: U.C. Letters (A-Z), L.C. Letters (a-z), and digits (0-9) 3. Lifetime: 6 months 4. Source: System generated and user selected 5. Ownership: Individual 6. Distribution: Terminal and special mailer 7. Storage: Encrypted passwords 8. Entry: Non-printing keyboard and masked-printing keyboard 9. Transmission: Cleartext 10. Authentication Period: Login and after 10 minutes of terminal inactivity. Talking about the Windows (NT/2k) world, we have implemented hardened passwords with periodic expiration and we have encrypted the password database (SAM). This is all done fairly easily in the NT domain or Active Directory world. We set passwords to automatically expire every 60 days and the system reminds users that they need to change their password. Passwords must be at least 8 characters long. Passwords may not contain a user name or any part of their full name. Passwords must include a combination of letters, numbers, and punctuation characters. Passwords must contain characters from at least three of the following four classes: Upper Case Letters A, B, C, ... Z Lower Case Letters a, b, c, ... z Numerals 0, 1, 2, ... 9 Non-alphanumeric special characters such as punctuation and symbols above the numbers on the keyboard. When changing the password the new password must be unique, not one used previously on the system, using a variation of a previous password is an allowable technique. We also tell employees the following: Do not write down your password. Do not share your password with other users. Do not let other people know your password, even the IT staff. In looking at what Tomas wrote below and giving an example of our moving from non-hardened to hardened password requirements, before we enforced hardened passwords I could use an auditing tool like L0phtCrack http://www.atstake.com/products/lc/ and tell you almost everyone's password in the firm, had to have access to the SAM (password database). After applying the needed steps to ensure password hardening I could run L0phtCrack for hours with no real results. ----- Original Message ----- From: "Tomas Wolf" <tomas () skip cz> To: "Ashish Sharma" <ashishs () iitg ernet in> Cc: <security-basics () securityfocus com> Sent: Sunday, November 16, 2003 2:53 AM Subject: Re: Suggested "safe" password length Hello, I would like to point out that sometimes it is not about the lenght only... It is about character selection and cipher used. Let us see some theory about it. If I would have a password of one character I would have a choice from around ~100 ASCII characters (I don't remember the right count of legal password characters). To break this one I would have ~100 options of what character it could be. If I wold restrict myself to numerics only, I would have only ten (10) legal, different choices (0-9), if we go with only alphabetical we have 26 different posibilites per character. By increasing the number of letters, one increases (theoreticaly) the possible combinations that "bruteforce" must go through. Let me note, that any dictionary words actually decrease the strength of a password. But let's get back to the theory - so if we have only numerical values as a password we have 10^1 = 10; if we have two letter password with only numerical values we get 10^2 = 100 possible combinations this must be devided by 2 to get AVERAGE possibilities before the password cracker finds the right combination. Let's compare it to alphabetic only: one character is 26^1 = 26 possible values; two character is 26^2 = 676 / 2 = 338 AVERAGE tries to get two letter, alphabetic-only password. So if we look at it from this point password like "12345678" has 10^8 = 100,000,000 posibilities, while "oH_nO" has base of lower and upper case alphabetical letters (26+26) & also special character (~30 characters). Sum of these will give us ~ 82 possible variants for one character... Therefore "oH_nO" is: 82^5 = 3,707,398,432 possible combinations... So as one can see, length is not always the key :-)... Another element that is brought to the game is the processing power of todays average computer... My 1.7Ghz can try ~1,500,000 combination per second. That doesn't take much to get to 100,000,000 combinations of numeric-only password. Cracking algorythms play some role in cracking. Using the most probable in combination with the less probable, one can get the result early... If one uses some uncommon character as a starter, it might be discovered later (or earlier if logarythm gives :-) ). Distributed cracking also helps... If we would have a machine for each letter in the alphabet, then one would be able to distribute the task and break it down into manageable chunks... Each machine would have assigned what starting letter to start with, this way one can eliminate one power of the whole equation. But that is a little off the topic... Isn't it :-) Anyway, I might have forgoten something... But I hope even this will be of some help... Tomas Ashish Sharma wrote:
Hi, I wanted to have an idea about what should be the suggested range of password lengths and if there is any upper bound. I was told that there is a range upto which your password is encrypted and beyond which the characters are futile. I work on a linux environment with md5 encryption of passwords enabled. TIA Ashish --------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- RE: Suggested "safe" password length, (continued)
- RE: Suggested "safe" password length Enquiries (Nov 16)
- Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- Re: Suggested "safe" password length Steve (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 17)