Security Basics mailing list archives
Re: Passwords: length vs. complexity
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 22 Jul 2008 04:00:38 +0200
On 2008-07-21 Kurt Buff wrote:
The number of tokens available, when using old-style passwords, is on the order of, as you pointed out earlier, 26-36, correct?
Rather 90-95 (62 alphanumeric characters plus a number of special characters). If we're talking about strong (randomly chosen) passwords, that is.
The number of tokens, when using larger passphrases, and counting entire words as tokens, delimited by spaces (and not counting punctuation or special characters or capitalisation, and choosing English as the base language, all of which are fairly large caveats, I believe) becomes on the order of 10,000 to 20,000 commonly used word out of about 1,000,000 or so in the English language, or more if including specialized vocabularies, such as names, sports terms, and less-common technical vocabularies specific to industry or job function, etc.
The Technet article [1] Philippe referred to mentioned numbers from 300 to 50000-70000.
Even if one accepts that the keyspace will be (severely) limited by people choosing sentences with standard syntax and grammar, and by choosing smaller and easier-to-type words, this still seems to be a huge win over using randomized-but-smaller passwords that are hard to remember and hard to type.
Perhaps. As I already said in my second last mail, even passphrases with 5-7 words taken from a 300-word dictionary may be secure enough. They're just not as secure as the proponents of passphrases make it sound.
If one sets a minimum passphrase size of, say 20 characters, and enforces complexity requirements that are standard in Windows (three of the following four: UC characters, LC characters, numbers, and punctuation and other special characters), then the passphrases will be essentially invulnerable to rainbow tables, and far superior to standard passwords from an end-user standpoint because of ease of recall and input.
Will they really? I have my doubts about it. In another article Philippe referred to [2], Roger Grimes lined out some problems with conventional passwords: | And because most users also use dictionary words as the root to their | "complex" password, and follow other common conventions (capitalized | letters are at the beginning, numbers are at the end) IMHO the same users will not magically stop making the same mistakes when being forced to use passphrases instead of passwords. They'll use simple words in simple sentences, applying the grammar and punctuation they learned in school. I don't have actual numbers on this, but AFAICS that should reduce the number of possible password significantly. As for rainbow tables, there are better ways to deal with them than password requirements (salted hashes in particular). Don't get me wrong, I'm by no means opposed to using passphrases, and I agree that they probably are easier to memorize for Joe Average. I'm just not convinced that they are a silver bullet like some people say. [1] http://technet.microsoft.com/en-us/library/cc512609.aspx [2] http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html Regards Angar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: Fwd: How does the Cain and Abel SAM dump works?, (continued)
- RE: Fwd: How does the Cain and Abel SAM dump works? Eric Snyder (Jul 15)
- Re: Fwd: How does the Cain and Abel SAM dump works? Adriel Desautels (Jul 15)
- Re: Fwd: How does the Cain and Abel SAM dump works? Jorge L. Vazquez (Jul 16)
- Re: Fwd: How does the Cain and Abel SAM dump works? Dave Hull (Jul 16)
- Re: Fwd: How does the Cain and Abel SAM dump works? Ansgar -59cobalt- Wiechers (Jul 16)
- Message not available
- Passwords: length vs. complexity (was: How does the Cain and Abel SAM dump works?) Ansgar -59cobalt- Wiechers (Jul 18)
- RE: Passwords: length vs. complexity (was: How does the Cain and Abel SAM dump works?) Rivest, Philippe (Jul 21)
- Re: Passwords: length vs. complexity Ansgar -59cobalt- Wiechers (Jul 21)
- RE: Passwords: length vs. complexity Rivest, Philippe (Jul 21)
- Re: Passwords: length vs. complexity Ansgar -59cobalt- Wiechers (Jul 21)
- Message not available
- Re: Passwords: length vs. complexity Ansgar -59cobalt- Wiechers (Jul 22)
- Re: How does the Cain and Abel SAM dump works? Rob Thompson (Jul 18)
- Re: How does the Cain and Abel SAM dump works? Ansgar -59cobalt- Wiechers (Jul 16)
- RE: How does the Cain and Abel SAM dump works? Rivest, Philippe (Jul 16)