Re: Password policy

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

And if you use only the 26 lower case characters, but require a 20
character passphrase you get 26^20th, a significantly larger number (see
table below), the windows calculator tells me it is
19,928,148,895,209,409,152,340,197,376.  At a certain password length
point (around 16 or 17 characters) length becomes much more
deterministic than even the variety of characters in the complete ascii
set.  This was proven to me at a recent SANS training course on Windows
Security and is an interesting consideration as you author your own
policies and options.

 

I always suggest a passphrase for WinZip for this reason as there are no
restrictions to attempts at breaking a WinZip password.  Adding a few
seconds delay on an online system between attempts neutralizes the
ability of a guessing/cracking program to try unlimited guesses and
accomplishes this much more efficiently I think.  You have to look at
the whole picture.

 

Of course the protectiveness of passwords is moot when faced with
keyboard loggers and other forms of input trapping.  Just part of the
puzzle.

 

Best regards,

 

Jim

 

*****************************************

Jim Dillon, CISA, CISSP

IT Audit Manager, CU Internal Audit

jim.dillon () cusys edu

303-492-9734

*****************************************

 

 

________________________________

From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] 
Sent: Wednesday, November 01, 2006 2:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy

 

Hi:

I guess I will chime in on why passwords should have an expiration
time/date.  

 

Brute force attacks take time --> given enough time any password can be
broken and discovered --> by forcing a change periodically you make any
targeted brute force attacker start over.   How long does it take?  The
chart below gives an idea:

 

 

If you only use words from a dictionary or a purely numeric password, a
hacker only has to try a limited list of possibilities. A hacking
program can try the full set in under one minute. If you use the full
set of characters and the techniques above, you force a hacker to
continue trying every possible combination to find yours.  

If we assume that the password is 8 characters long, this table shows
how many times a hacker may have to before guessing your password.  Most
password crackers have rules that can try millions of word variants per
second, so the more algorithmically complex your password, the better.

 

Character sets used in password 

Calculation 

Possible Combinations 

Dictionary words (in english): 
(It is debatable but lets generously say ~600,000 words) 

--

600,000

Numbers only 

10^8

100,000,000

Lowercase Alpha set only 

26^8

208,827,064,576

Full Alpha set

52^8

53,459,728,531,456

Full Alpha + Number set

62^8

218,340,105,584,896

Full set of allowed printable characters set:  

(10+26+26+19)^8

645,753,531,245,761

 

 

-Kevin

 

Kevin L. McLaughlin

CISSP, PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

mclaugkl () ucmail uc edu

 

 

  

 

CONFIDENTIALITY NOTICE: This e-mail message and its content is
confidential, intended solely for the addressee, and may be legally
privileged. Access to this message and its content by any individual or
entity other than those identified in this message is unauthorized. If
you are not the intended recipient, any disclosure, copying or
distribution of this e-mail may be unlawful. Any action taken or omitted
due to the content of this message is prohibited and may be unlawful.

 

________________________________

clip history...