Firewall Wizards mailing list archives
Re: Re[2]: password aging
From: Aleph One <aleph1 () dfw net>
Date: Wed, 2 Sep 1998 10:38:10 -0500 (CDT)
On Wed, 2 Sep 1998 Steve.Bleazard () wdr com wrote:
One alternative to password aging, is to force everyone to use a password generator. FIPS181 from the US government describes (and implements) such a generator. I have found the FIPS181 algorithm generates good pronouncable passwords. They are also far less susceptible to social engineering. Using password generators has many problems in itself, not least of which is the tendency for people to write the password down. However, if security demands good password aging and system wide password re-use detection, then the local policies can be enforced to deal with this and a generator is a viable alternative.
This reminds me of this little blurb that comes with the Crack programs.
From doc/fips181.txt:
Federal Information Processing Standard 181 defines a standard for an automated password generator to be used in "all federal departments and agencies where there is a requirement for computer generated pronouncable passwords"... for passwords of between 5 and 8 characters long. Basically it's a generator which takes a good PRNG and a bunch of fixed syllables (composed from lowercase ascii letters) and uses the former to drive concatenation of the latter, producing at the business end a "pronouncable password". Reading FIPS181 (http://csrc.ncsl.nist.gov/fips/fips181.txt) one gets a good feel for the reduction in search space that this algorithm provides to the password cracker. Section 2.4 cites that the algorithm is capable of producing "approximately 18 million 6-character" passwords; compare this with the set of 309 million lowercase 6-character passwords, and we see that the lack of entropy in the output has reduced the search space to about 5% of it's original size. Interesting; from this basis we may pose the following student project: or values of N constrained by your resources. 3) sort/uniq, dawg and gzip this dictionary and put it up on an Internet FTP site, posting an announcement of a new Crack dictionary containing all possible N-character plaintext federal passwords. 4) Write an essay describing your experiences of consequent federal investigation, backbiting and paranoia. -- To verify the feasibility of (3), the author can confirm that the highly redundant 2Gb dictionary of all possible 6-character lowercase passwords (newline separated) compresses to about 7Mb under dawg/gzip. YMMV. As you can see using FIPS181 is a very bad idea.
Steve
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: password aging Paul McNabb (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- <Possible follow-ups>
- RE: password aging Rick Smith (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re: password aging Joseph S. D. Yao (Sep 01)
- Re: password aging Stephen P. Gibbons (Sep 01)
- Re[2]: password aging Steve . Bleazard (Sep 02)
- Re: Re[2]: password aging Alec Muffett - SunLabs (Sep 02)
- Re: Re[2]: password aging Aleph One (Sep 02)
- Re: Re[2]: password aging Ryan Russell (Sep 03)
- Re: Re[2]: password aging Michael Shields (Sep 06)
- Re: password aging Paul McNabb (Sep 03)
- Re: password aging Stephen P. Gibbons (Sep 06)