Security Basics mailing list archives
RE: Minimum password requirements
From: <sceee1991 () yahoo com>
Date: 24 Jul 2004 02:23:42 -0000
All your comments may be true, but I still think that mandatory password changing is necessary and in some environments I think 30 or 45 days maximum is reasonable. Although this example is extreme, it is realistic. Let's assume a dictionary attack rather than a brute force attack, and let's say that you only use the top 100 passwords that meet complex password requirements. If you also know the username requirements of the company you are hacking (i.e. first letter of first name followed by the last name) you could launch an attack against this company with user names you found through social engineering and use one password a day against each of these known accounts. Before this list of passwords is exhausted the chances are you will have broken into an account. Extreme? Yes. Unlikely? I am not sure. A second example is a situation where you are able to obtain the password file. At this point you aren't limited with how strong your attack is. You could put every machine you have access to on the project, each conducting a different segment of the attack against the file, some brute forcing, some dictionary, and each using different criteria. It is very likely that you will crack that password within 90 days. In either of these instances you might never know that the password has been cracked and the 90 day max will at least change the compromised password and may prevent it's cracking (although it may not). True enough, requiring mandatory password changes will cause weak or easy to find passwords, but unfortunately these already exist. I think the best answer is to educate the user how to develop a very strong password strategy that is easy to remember as well as the need for strong passwords. Will this remedy the whole situation? Probably not, but it will help it.
Now let's think about this from a more accurate perspective. Assuming an attacker randomly tries passwords (the chances of him brute-forcing *every single possible password* in linear order are minimal; assuming 8 character passwords guessed at 1 per second, we're talking years here), changing the password does not significantly help your chances. The benefit here is by whether he can guess with replacement or without (as in, should he guess another random password, or a random password that he hasn't already guessed--can he narrow his guessing set?). So 8 character alphanumeric, caps and lower, gives us 218340105584896 possible passwords. At one per second, over a 30 day period, going non-stop (and if your logs don't catch *this*, you should think twice), he guesses 2592000 passwords. So if he's allowed to assume no guessing the same password twice--i.e. that you don't cycle your passwords regularly--he can better his odds from 1/218340105584896 to 1/218340102992896. Not a significant change. In fact, so insignificant that if *I* were the attacker, I wouldn't bother keeping track of passwords I'd guessed. So does this make you safer against brute forcing? Perhaps a very small amount.
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Minimum password requirements, (continued)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements Jonathan Loh (Jul 26)
- Re: Minimum password requirements Gethin Jones (Jul 26)