RE: Minimum password requirements

[<sceee1991 () yahoo com>]

All your comments may be true, but I still think that mandatory 
password changing is necessary and in some environments I think 30 or 45 days 
maximum is reasonable.  Although this example is extreme, it is 
realistic.  Let's assume a dictionary attack rather than a brute force attack, 
and let's say that you only use the top 100 passwords that meet complex 
password requirements.  If you also know the username requirements of 
the company you are hacking (i.e.  first letter of first name followed 
by the last name) you could launch an attack against this company with 
user names you found through social engineering and use one password a 
day against each of these known accounts.  Before this list of passwords 
is exhausted the chances are you will have broken into an account.  
Extreme?  Yes.  Unlikely?  I am not sure.  
 
A second example is a situation where you are able to obtain the 
password file.  At this point you aren't limited with how strong your attack 
is.  You could put every machine you have access to on the project, 
each conducting a different segment of the attack against the file, some 
brute forcing, some dictionary, and each using different criteria.  It 
is very likely that you will crack that password within 90 days.
 
In either of these instances you might never know that the password has 
been cracked and the 90 day max will at least change the compromised 
password and may prevent it's cracking (although it may not).
 
True enough, requiring mandatory password changes will cause weak or 
easy to find passwords, but unfortunately these already exist.  I think 
the best answer is to educate the user how to develop a very strong 
password strategy that is easy to remember as well as the need for strong 
passwords.  Will this remedy the whole situation?  Probably not, but it 
will help it.  
 
> Now let's think about this from a more accurate perspective. 
> Assuming an attacker randomly tries passwords (the chances of 
> him brute-forcing *every single possible password* in linear 
> order are minimal; assuming 8 character passwords guessed at 
> 1 per second, we're talking years here), changing the 
> password does not significantly help your chances. The 
> benefit here is by whether he can guess with replacement or 
> without (as in, should he guess another random password, or a 
> random password that he hasn't already guessed--can he narrow 
> his guessing set?). So 8 character alphanumeric, caps and 
> lower, gives us 218340105584896 possible passwords. At one 
> per second, over a 30 day period, going non-stop (and if your 
> logs don't catch *this*, you should think twice), he guesses 
> 2592000 passwords. So if he's allowed to assume no guessing 
> the same password twice--i.e. that you don't cycle your 
> passwords regularly--he can better his odds from 
> 1/218340105584896 to 1/218340102992896. Not a significant 
> change. In fact, so insignificant that if *I* were the 
> attacker, I wouldn't bother keeping track of passwords I'd 
> guessed. So does this make you safer against brute forcing? 
> Perhaps a very small amount.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------