RE: strong passwords (was Radius/MS ISA stuff)

[Paul Robertson <proberts () patriot net>]

On Tue, 9 Jul 2002, Daniel Djundjek wrote:

> Gentlemen,
>
> I like your thinking on the crypto attack side of things relating to
> passwords, but I have a lightly different issue. How do you recommend to
> a IT manager, that they need to have a min. of 8 characters. I found the

It really depends on the authentication scheme and where the 
authentication happens, and what you're trying to protect against:

> below article, but are you aware of any other articles or docs where
> companies are 'forced' by legislation or self regulated bodies to
> enforce such password control. When discussing entropy, MD5#, or
> different types of password attacks to a non-technical person it's
> difficult to convince them to go much further past 6 characters.

If the password is, for instance a screen saver password, then it's 
probably sufficient that it not be written down- screen saver passwords 
generally protect against other people using the computer, and the "too 
difficult to remember" password will be written down (under keyboard, on 
monitor, under mousepad, in desk drawer...) and not protect from that kind 
of attack.  Non-obvious passwords for local access don't really need to be 
"stronger" than being not obvious.  

Network/remote passwords really need the extra bits and non-wordiness if 
they, or their hashes are on the network or in a file that's not very well 
protected.

> Think of it this way. Most PIN Numbers for banks to take money out of an
> electronic teller is 4 Digit's, and I can't remember the last time I was
> forced to change this PIN code... 

PINs are set this way because banks don't want to pay support costs for 
lost/forgotten PINs, *NOT* because 4 digits are secure.  Generally, PINs 
also require a physical card and physical access (though weak, the cards 
are stronger than a typical username.)

IT departments should also think about support costs before going to 
difficult passwords- pass phrases might be a better choice if the input 
mechanism allows longer series of characters- though an educated attacker 
may be able to narrow the search space if the system truncates at a 
certain length.

Personally, I prefer two factor hardware tokens for critical access, and 
encrypted tunnles for anything else, though that's not always possible.

If you want to convince them, show them the time difference in brute 
forcing 6 characters vs (pick your ideal number) on a typical PC.
  
Make sure they understand that dictionary attacks take the strength out of 
longer passwords.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards