Security Basics mailing list archives
Re: Suggested "safe" password length
From: "Steve" <securityfocus () delahunty com>
Date: Mon, 17 Nov 2003 13:22:13 -0500
According to NIST Special Publication 800-18 "Guide for Developing Security
Plans for Information Technology Systems", the recommended minimum number of
characters in a password is six to eight characters in a combination of
alpha, numeric, or special characters.
According to Federal Information Processing Standards Publication 112,
Password Usage Password System for Medium Protection Requirements:
1. Length Range: 4-8
2. Composition: U.C. Letters (A-Z), L.C. Letters (a-z), and digits (0-9)
3. Lifetime: 6 months
4. Source: System generated and user selected
5. Ownership: Individual
6. Distribution: Terminal and special mailer
7. Storage: Encrypted passwords
8. Entry: Non-printing keyboard and masked-printing keyboard
9. Transmission: Cleartext
10. Authentication Period: Login and after 10 minutes of terminal
inactivity.
Talking about the Windows (NT/2k) world, we have implemented hardened
passwords with periodic expiration and we have encrypted the password
database (SAM). This is all done fairly easily in the NT domain or Active
Directory world. We set passwords to automatically expire every 60 days and
the system reminds users that they need to change their password. Passwords
must be at least 8 characters long. Passwords may not contain a user name
or any part of their full name. Passwords must include a combination of
letters, numbers, and punctuation characters. Passwords must contain
characters from at least three of the following four classes:
Upper Case Letters A, B, C, ... Z
Lower Case Letters a, b, c, ... z
Numerals 0, 1, 2, ... 9
Non-alphanumeric special characters such as punctuation and symbols
above the numbers on the keyboard.
When changing the password the new password must be unique, not one used
previously on the system, using a variation of a previous password is an
allowable technique.
We also tell employees the following:
Do not write down your password.
Do not share your password with other users.
Do not let other people know your password, even the IT staff.
In looking at what Tomas wrote below and giving an example of our moving
from non-hardened to hardened password requirements, before we enforced
hardened passwords I could use an auditing tool like L0phtCrack
http://www.atstake.com/products/lc/ and tell you almost everyone's password
in the firm, had to have access to the SAM (password database). After
applying the needed steps to ensure password hardening I could run
L0phtCrack for hours with no real results.
----- Original Message -----
From: "Tomas Wolf" <tomas () skip cz>
To: "Ashish Sharma" <ashishs () iitg ernet in>
Cc: <security-basics () securityfocus com>
Sent: Sunday, November 16, 2003 2:53 AM
Subject: Re: Suggested "safe" password length
Hello,
I would like to point out that sometimes it is not about the lenght
only... It is about character selection and cipher used.
Let us see some theory about it. If I would have a password of one
character I would have a choice from around ~100 ASCII characters (I
don't remember the right count of legal password characters). To break
this one I would have ~100 options of what character it could be. If I
wold restrict myself to numerics only, I would have only ten (10) legal,
different choices (0-9), if we go with only alphabetical we have 26
different posibilites per character. By increasing the number of
letters, one increases (theoreticaly) the possible combinations that
"bruteforce" must go through. Let me note, that any dictionary words
actually decrease the strength of a password. But let's get back to the
theory - so if we have only numerical values as a password we have 10^1
= 10; if we have two letter password with only numerical values we get
10^2 = 100 possible combinations this must be devided by 2 to get
AVERAGE possibilities before the password cracker finds the right
combination. Let's compare it to alphabetic only: one character is 26^1
= 26 possible values; two character is 26^2 = 676 / 2 = 338 AVERAGE
tries to get two letter, alphabetic-only password. So if we look at it
from this point password like "12345678" has 10^8 = 100,000,000
posibilities, while "oH_nO" has base of lower and upper case
alphabetical letters (26+26) & also special character (~30 characters).
Sum of these will give us ~ 82 possible variants for one character...
Therefore "oH_nO" is: 82^5 = 3,707,398,432 possible combinations...
So as one can see, length is not always the key :-)...
Another element that is brought to the game is the processing power of
todays average computer... My 1.7Ghz can try ~1,500,000 combination per
second. That doesn't take much to get to 100,000,000 combinations of
numeric-only password.
Cracking algorythms play some role in cracking. Using the most
probable in combination with the less probable, one can get the result
early... If one uses some uncommon character as a starter, it might be
discovered later (or earlier if logarythm gives :-) ).
Distributed cracking also helps... If we would have a machine for each
letter in the alphabet, then one would be able to distribute the task
and break it down into manageable chunks... Each machine would have
assigned what starting letter to start with, this way one can eliminate
one power of the whole equation.
But that is a little off the topic... Isn't it :-)
Anyway, I might have forgoten something... But I hope even this will be
of some help...
Tomas
Ashish Sharma wrote:
Hi, I wanted to have an idea about what should be the suggested range of password lengths and if there is any upper bound. I was told that there is a range upto which your password is encrypted and beyond which the characters are futile. I work on a linux environment with md5 encryption of passwords enabled. TIA Ashish --------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- RE: Suggested "safe" password length, (continued)
- RE: Suggested "safe" password length Enquiries (Nov 16)
- Re: Suggested "safe" password length Robert & Marina Mantle (Nov 17)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 18)
- Re: Suggested "safe" password length Peter Schawacker (Nov 18)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- Re: Suggested "safe" password length Steve (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- Re: Suggested "safe" password length Simon Gray (Nov 17)