Security Basics mailing list archives
Re: Minimum password requirements
From: Jonathan Loh <kj6loh () yahoo com>
Date: Sat, 24 Jul 2004 21:06:27 -0700 (PDT)
--- dmargoli () stwing org wrote:
Now let's think about this from a more accurate perspective. Assuming an attacker randomly tries passwords (the chances of him brute-forcing *every single possible password* in linear order are minimal; assuming 8 character passwords guessed at 1 per second, we're talking years here), changing the password does not significantly help your chances. The benefit here is by whether he can guess with replacement or without (as in, should he guess another random password, or a random password that he hasn't already guessed--can he narrow his guessing set?). So 8 character alphanumeric, caps and lower, gives us 218340105584896 possible passwords. At one per second, over a 30 day period, going non-stop (and if your logs don't catch *this*, you should think twice), he guesses 2592000 passwords. So if he's allowed to assume no guessing the same password twice--i.e. that you don't cycle your passwords regularly--he can better his odds from 1/218340105584896 to 1/218340102992896. Not a significant change. In fact, so insignificant that if *I* were the attacker, I wouldn't bother keeping track of passwords I'd guessed. So does this make you safer against brute forcing? Perhaps a very small amount.
Yes, I agree with you math, and the odds do not sound very good. But having been a system administrator for a number of years, even going back to a time when there were totally unencrypted passwords. I remember seeing passwords like 'succeed', and 'tihsllub' (try reading that backwords), and other english dictionary words. So the number of english words is significantly smaller than your 218340105584896. A quick look on the web and there are roughly 50 - 60k words (for arguments sake we'll say its about 100 to 150k). Most end users are not as technically minded to come up with a password of 'iYtsQek9' or some nonsensical word like that. Moreover if they do come up with a password that complicated they usually write it down and put it near their computer, which would render the system very insecure, as you state later. Now if we assume your scheme of 1 password/second and 100k words in the english language. That means 86,400 guesses per day. So by the end of the second day most passwords would be cracked, given some substitutions too ie 1 for i or l. That's only given one dedicated computer. With distributed processing that will speed it up even more. This is one reason why people put in timeouts every 3 to 6 invalid login attemps. I don't agree with locking anyone out. It may warrent a chat if it realy looks as if someone is trying to break in to his account. I remember someone who regularly for a week tried to log in as root. He never made it. But we talked to him and he was using linux fro the first time and was doing everything as root until he realized it was a bad idea. So he tried to rlogin to our box without the username argument and so it would show up as an attempted root login, which it was, but it was an error on the part of a novice sysadmin. There are gives and takes. Now many modern password programs do simple checking against a dictionary. But then there will be things like 'c0m3f156' (comefish). and so on so forth that will escape simple password checks. With the fact that many web servers allow users homes to house a website where the url is somehost/~user. It's a lot easier to find usernames now.
Weak passwords are a serious problem, I agree.
Agreed, but this is such a simple step in helping to solve a monstrous issue that I think it warrants our time and attention. __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements, (continued)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Jonathan Loh (Jul 26)
- Re: Minimum password requirements Gethin Jones (Jul 26)