Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Wed, 19 Jul 2006 20:44:55 -0400
But the point is...you can't guarantee complexity...beyond 32 most commonly used characters. Real complexity doesn't exist. You can't enforce true complexity unless you auto-generate random passwords. I crack 8-character complex passwords every day without a problem. Even if you give users 94 different characters to choose between, 80% will choose the same 32 characters. 32^8 isn't nearly as good as 26^10. Just do the math. -----Original Message----- From: Eoin Miller [mailto:eoin.miller () trojanedbinaries com] Sent: Tuesday, July 18, 2006 4:55 PM To: Roger A. Grimes Cc: security-basics () securityfocus com Subject: Re: ADS Password Storage Protection Roger A. Grimes wrote:
Length is always more important than complexity because password keyspace is expressed as Y^X, where Y is the number of possible characters and X is the password length. Thus, any similar increase in
X has significantly more impact than to Y.
Roger, That relies upon the assumption of all attackers performing attacks that attempt all possible characters all the time. In most attempts to break passwords, the attacker will remove the uncommonly used characters from being attempted. Since users try and follow the bare minimum requirements, not adding complexity requirements can have a detrimental effect. Consider the following hypothetical situation: An internal employee has sniffed hashes from a network (we will assume there are no shortcuts/weaknesses in the algorithm). The internal company policy only requires 8 character length passwords and nothing more. Which will be broken first by the attacker who is only trying to crack a hash with lowercase letters [a-z]? A hash generated from a 10 character password that was created with only lowercase [a-z]. or A hash generated from a 8 character password that was created with lowercase [a-z], uppercase [A-Z], numerical [0-9]. The likely combinations to guess are not only derived from the length of the password but also from the minimum requirements instituted by the password policy. Having password complexity requirements forces attackers into using more possible combinations. I will not argue that length or complexity is more important than the other because situations can arise that expose the weakness of either. Both are required (and complement each other) when instituting a sound password policy. --Eoin ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: Re: RE: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Pranav Lal (Jul 19)
- Re: Re: Re: RE: ADS Password Storage Protection winshel (Jul 18)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 21)
- RE: Re: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: Re: RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- Re: ADS Password Storage Protection ab (Jul 19)
- Re: ADS Password Storage Protection Eoin Miller (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Robertson, Seth (JSC-IM) (Jul 21)
- Re: RE: ADS Password Storage Protection eric . baechle (Jul 21)
- Re: Re: ADS Password Storage Protection eric . baechle (Jul 27)
- Re: RE: ADS Password Storage Protection e . m . baechle (Jul 28)
- RE: RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)