Educause Security Discussion mailing list archives
Re: Passwords & Passphrases (strength and entropy)
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 27 Nov 2007 14:34:37 -0700
We had a discussion on this list about a year ago regarding password strengths (search for entropy). Enclosed is a presentation I have given, spurred thanks to the previous conversation on this list. Slides 9 - 15 deal with password and passphrase strength. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: Paul Keser [mailto:pkeser () STANFORD EDU] Sent: Monday, November 26, 2007 3:53 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases Harold- I think Alex is saying the cracking program is more likely to guess aaaaaaa...., I believe John the Ripper includes all a's, all b's, etc in its dictionary attack. Dictionary attacks usually take a very few minutes on a typical workstation while if it has to fall back to brute force it will take days or weeks, this is assuming the already have a coup of your san file or your shadow file and they are cracking it locally vs password guessing across the network. The SANS hacking class has an excellent password cracking and password guessing lab. -PaulK Paul Keser Assoc. Information Security Officer Stanford University 650.724.9051 GPG Fingerprint: DBA3 E20F CE91 28AA DA1C 4A77 3BD9 C82D 2699 24FB Harold Winshel wrote:Are you saying a password cracking program is more likelyto guess theletter "a" repeated 15 times or that an individual user trying to break in to a machine will more likely try that? Harold At 05:37 PM 11/19/2007, Alex wrote:Harold: I think there is confusion betweeen pure mathematicalprobability andprobability based on historical attacks/human created passwords. An attacker is more likely to try repetitive or dictionary-based/hybrid attacks over a network (or againsta hash) than random passwords.Additionally, people are more likely to use certaincharacters thanothers when creating passwords (e.g. wheel of fortune). Therefore, user created passwords are not random. So, given that we know attackers typically use 'easy'passwords, thecharacter 'a' repeated 15 times is more likely to becracked than a15 character passphrase. Likely, so is a 15 character passphrase when compared to a truly randomly generated password of 15 characters from the samecharacterset. Hence, we have password complexity rules as those inMicrosoft Server2003 and linux. -Alex -----Original Message----- From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU] Sent: Monday, November 19, 2007 5:16 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Passwords & Passphrases I may have missed some of the earlier emails but I thoughtthat a 15character passphrase is as secure as a 15 character randompassword.For that matter, I thought the user could use the letter"a" fifteentimes and it could be as secure as a random 15-characterpassword ora 15-character password such as '"I don't like the RedSox" (I thinkthat's more than 15, though). Harold At 04:44 PM 11/19/2007, Roger Safian wrote:At 02:01 PM 11/19/2007, Martin Manjak put fingers to keyboard andwrote:move beyond 8 characters with mixed case and specialcharacters. Iwould like to see us require a 15 character pass phrasewhich, inmy view, is more secure (even without complexity), andboth easierto type and remember.Personally I'd love to see a password minimum length of15 characters.My fear is that a password database get's compromised,and the weakpasswords are cracked and bad things take place. I think that 15 characters is a long enough string to make brute forcecracking timeconsuming enough to allow us to change the passwords in areasonabletime-frame. I think the reality is that 15 characters will be toomuch for thecommunity. We'll see. -- Roger A. Safian r-safian () northwestern edu (email) public key available on many keyservers.(847) 491-4058 (voice) (847) 467-6500 (Fax) "You're never too old to have a greatchildhood!" Harold Winshel Computing and Instructional Technologies Faculty of Arts &SciencesRutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)Harold Winshel Computing and Instructional Technologies Faculty of Arts & Sciences Rutgers University, Camden Campus 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102 (856) 225-6669 (O)
Attachment:
Trouble-with-encryption-v2.ppt
Description: Trouble-with-encryption-v2.ppt
Current thread:
- Re: Passwords & Passphrases (strength and entropy) Basgen, Brian (Nov 27)