Security Basics mailing list archives
Re: Length vs Complexity
From: John Morrison <john.morrison101 () gmail com>
Date: Sun, 19 Sep 2010 20:04:52 +0100
In my opinion the use of tokens, from a security perspective is a better solution unless users are sharing the password/token. It certainly means the password changes frequently to reduce the time for cracking the password before it becomes invalid. However, the cost of purchasing a token is higher than that of asking a user to think of a password. In my experience if using complex passwords there is an increased likelihood that the user will write down the password. (Also a problem for tokens as users can write the PIN on a label and fasten it to the token.) Personally I would recommend that users choose passwords that they can remember and can avoid writing down. Couple this with a fairly short life time for the password so that it must be changed frequently. The security of the passwords can then be enhanced by persistently reminding them of the value of their password (and what it protects) as well as how to construct and remember a password. Again the token can be a useful tool as it can be likened to a chip-and-pin debit/credit card. Users understand the value of keeping the PIN secret for their card. It might even help if the token looks like a card. Linking the different bits of security together will help. What ever solution is selected it is also important to monitor usage patterns and flag unusual activity. For example, a 9-5 office working logging in late at night; a log in when the user is on leave; or attempts to access files or servers never used before. Also if you have physical security that relies on users identifying themselves you could flag if a user tries to log in in a building, but has not been through the security system to get into that location. On 16 September 2010 20:49, Joachim Thuau <Joachim.Thuau () heavy-iron com> wrote:
What should be communicated is that the password needs to be set in such a way as to make attempts at brute-forcing the password take more time. So you end up with longer passwords that STATISTICALLY take longer to crack. Passwords with complex structures (non-dictionary words) will also take longer to crack (STATISTICALLY). Those are hard to quantify, as you have neither the algorithms or the configurations being used for the attack. All you can do is "guess". Attackers often go for the low hanging fruits, because they expect users to go for convenience (password with the name of the dog, birthdates). Attackers are also eager to get in. They will look at passwords and their probability of occurrence. Dictionary words and guessable passwords are very likely (beside most security officers efforts) and will be tried first. It all depends on how the attacker perceives the complexity. How is the dictionary attack setup? is it just a bunch of words tried and combinations of words, are they going to try "leet permuations" (replacing certain letters with numbers/symbols)? It is likely that they will try those before some total random characters... how likely? That's the real question... It's all probability, statistics, and neither of those are really easy to handle... And start using token authentication systems, and you make it harder for the attacker yet... (that makes the password time sensitive, and a moving target...) Jok ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Length vs Complexity Mike Razzell (Sep 16)
- Re: Length vs Complexity Ansgar Wiechers (Sep 16)
- RE: Length vs Complexity David Gillett (Sep 16)
- Re: Length vs Complexity p8x (Sep 16)
- Re: Length vs Complexity Jeffrey Walton (Sep 20)
- Re: Length vs Complexity Walter Goulet (Sep 16)
- Message not available
- Re: Length vs Complexity Walter Goulet (Sep 17)
- Message not available
- Message not available
- Re: Length vs Complexity Walter Goulet (Sep 17)
- Re: Length vs Complexity Roger (Sep 17)
- Re: Length vs Complexity John Morrison (Sep 20)
- <Possible follow-ups>
- RE: Length vs Complexity Pankaj (Sep 16)
- Re: Length vs Complexity Roger (Sep 16)
- RE: Length vs Complexity ron (Sep 16)