Security Basics mailing list archives
re: Highlighting weak password dangers
From: Kenton Smith <listsks () yahoo ca>
Date: Mon, 29 Jan 2007 15:29:13 -0800 (PST)
----- Original Message ----
From: Henry Troup <htroup () acm org>
To: "Barrett, Will" <wbarrett () pronetsol com>; Kenton Smith <listsks () yahoo ca>; WALI <hkhasgiwale () gmail com>
Sent: Monday, January 29, 2007 8:56:54 AM
Subject: RE: Highlighting weak password dangers
>> "There is no reason for using brute-force for policy compliance."
Why not? An intruder might. Why on earth would you think you are safe
if you are not willing or able to do the same?
Are you sure that you're all using the same definition of "brute force"? The "dictionary or hybrid" might qualify as "brute > force" to some people. I tend to reserve that term to those attacks that will in time try every possible password - given > unreasonable resources. Since a brute force attack on length 8 is actually feasible today, you need to set an appropriate minimum length. But otherwise "brute force" has no role in compliance because it always works.
That's why we call it "brute force" - it's an analogy to locked doors. If I have a standard steel outer door or solid core interior door, there is a level of force that will break that door or break door and jam out of the building structure. I don't > apply that force when checking to see if the door is locked.
regards,
Henry Troup
htroup () acm org
It all depends on the reasons for doing the "audit". In my world, auditing is done to find policy breaches and weaknesses in defense methods. As stated; brute-force always works. It doesn't matter how complex your passwords are, brute-force never fails. It may take a few months or longer, but if someone uses brute force on a strong password, they're going to break it every time. So how does this help to enforce policy? It doesn't; because if your policy is attempting to prevent passwords being cracked using brute force, everyone is going to have to write down their 128 character complex passwords and change them on a weekly basis. On the other hand, if you are using password cracking methods to find weak passwords, a carefully crafted dictionary attack will find all the weak passwords within a matter of minutes and you're done. Kenton __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Re: Highlighting weak password dangers Kenton Smith (Jan 25)
- RE: Highlighting weak password dangers Barrett, Will (Jan 29)
- <Possible follow-ups>
- re: Highlighting weak password dangers Kenton Smith (Jan 30)
- Re: RE: Highlighting weak password dangers somebodyishere (Jan 30)