Security Basics mailing list archives

re: Highlighting weak password dangers

From: Kenton Smith <listsks () yahoo ca>
Date: Mon, 29 Jan 2007 15:29:13 -0800 (PST)

----- Original Message ----

From: Henry Troup <htroup () acm org>

To: "Barrett, Will" <wbarrett () pronetsol com>; Kenton Smith <listsks () yahoo ca>; WALI <hkhasgiwale () gmail com>

Sent: Monday, January 29, 2007 8:56:54 AM

Subject: RE: Highlighting weak password dangers




        >> "There is no reason for using brute-force for policy compliance."


Why not?  An intruder might.  Why on earth would you think you are safe

if you are not willing or able to do the same?

Are you sure that you're all using the same definition of "brute force"?  The  "dictionary or hybrid" might qualify 
as "brute > force" to some people.  I tend to  reserve that term to those attacks that will in time try every 
possible password -  given > unreasonable resources.  Since a brute force attack on length 8 is actually  feasible 
today, you need to set an 
appropriate minimum length.  But otherwise  "brute force" has no role in compliance because it always works.


That's why we call it "brute force" - it's an analogy to locked doors.  If I have a  standard steel outer door or 
solid core
interior door, there is a level of force that  will break that door or break door and jam out of the building 
structure.  I don't  > apply that force when checking to see if the door is locked.

regards,

Henry Troup

htroup () acm org


 

It all depends on the reasons for doing the "audit". In my world,
auditing is done to find policy breaches and weaknesses in defense
methods. As stated; brute-force always works. It doesn't matter how
complex your passwords are, brute-force never fails. It may take a few
months or longer, but if someone uses brute force on a strong password,
they're going to break it every time. So how does this help to enforce
policy? It doesn't; because if your policy is attempting to prevent
passwords being cracked using brute force, everyone is going to have to
write down their 128 character complex passwords and change them on a
weekly basis.

On the other hand, if you are using password cracking methods to
find weak passwords, a carefully crafted dictionary attack will find
all the weak passwords within a matter of minutes and you're done.



Kenton







__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Current thread:

Re: Highlighting weak password dangers Kenton Smith (Jan 25)
- RE: Highlighting weak password dangers Barrett, Will (Jan 29)
- <Possible follow-ups>
- re: Highlighting weak password dangers Kenton Smith (Jan 30)
- Re: RE: Highlighting weak password dangers somebodyishere (Jan 30)