Security Basics mailing list archives

Re: Length vs Complexity

From: John Morrison <john.morrison101 () gmail com>
Date: Sun, 19 Sep 2010 20:04:52 +0100

In my opinion the use of tokens, from a security perspective is a
better solution unless users are sharing the password/token. It
certainly means the password changes frequently to reduce the time for
cracking the password before it becomes invalid. However, the cost of
purchasing a token is higher than that of asking a user to think of a
password.

In my experience if using complex passwords there is an increased
likelihood that the user will write down the password. (Also a problem
for tokens as users can write the PIN on a label and fasten it to the
token.)

Personally I would recommend that users choose passwords that they can
remember and can avoid writing down. Couple this with a fairly short
life time for the password so that it must be changed frequently. The
security of the passwords can then be enhanced by persistently
reminding them of the value of their password (and what it protects)
as well as how to construct and remember a password.

Again the token can be a useful tool as it can be likened to a
chip-and-pin debit/credit card. Users understand the value of keeping
the PIN secret for their card. It might even help if the token looks
like a card.

Linking the different bits of security together will help. What ever
solution is selected it is also important to monitor usage patterns
and flag unusual activity. For example, a 9-5 office working logging
in late at night; a log in when the user is on leave; or attempts to
access files or servers never used before. Also if you have physical
security that relies on users identifying themselves you could flag if
a user tries to log in in a building, but has not been through the
security system to get into that location.

On 16 September 2010 20:49, Joachim Thuau <Joachim.Thuau () heavy-iron com> wrote:

What should be communicated is that the password needs to be set in such a way as to make attempts at brute-forcing
the password take more time. So you end up with longer passwords that STATISTICALLY take longer to crack. Passwords
with complex structures (non-dictionary words) will also take longer to crack (STATISTICALLY). Those are hard to
quantify, as you have neither the algorithms or the configurations being used for the attack. All you can do is
"guess".

Attackers often go for the low hanging fruits, because they expect users to go for convenience (password with the
name of the dog, birthdates). Attackers are also eager to get in. They will look at passwords and their probability
of occurrence. Dictionary words and guessable passwords are very likely (beside most security officers efforts) and
will be tried first. It all depends on how the attacker perceives the complexity. How is the dictionary attack setup?
is it just a bunch of words tried and combinations of words, are they going to try "leet permuations" (replacing
certain letters with numbers/symbols)? It is likely that they will try those before some total random characters...
how likely? That's the real question...

It's all probability, statistics, and neither of those are really easy to handle...

And start using token authentication systems, and you make it harder for the attacker yet...
(that makes the password time sensitive, and a moving target...)

Jok

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works,
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Length vs Complexity Mike Razzell (Sep 16)
- Re: Length vs Complexity Ansgar Wiechers (Sep 16)
- RE: Length vs Complexity David Gillett (Sep 16)
- Re: Length vs Complexity p8x (Sep 16)
  - Re: Length vs Complexity Jeffrey Walton (Sep 20)
- Re: Length vs Complexity Walter Goulet (Sep 16)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Re: Length vs Complexity Roger (Sep 17)
- RE: Length vs Complexity Joachim Thuau (Sep 17)
  - Re: Length vs Complexity John Morrison (Sep 20)
- <Possible follow-ups>
- RE: Length vs Complexity Pankaj (Sep 16)
  - Re: Length vs Complexity Roger (Sep 16)
- RE: Length vs Complexity ron (Sep 16)