Firewall Wizards mailing list archives
RE: strong passwords (was Radius/MS ISA stuff)
From: Paul Robertson <proberts () patriot net>
Date: Mon, 8 Jul 2002 19:55:55 -0400 (EDT)
On Tue, 9 Jul 2002, Daniel Djundjek wrote:
Gentlemen, I like your thinking on the crypto attack side of things relating to passwords, but I have a lightly different issue. How do you recommend to a IT manager, that they need to have a min. of 8 characters. I found the
It really depends on the authentication scheme and where the authentication happens, and what you're trying to protect against:
below article, but are you aware of any other articles or docs where companies are 'forced' by legislation or self regulated bodies to enforce such password control. When discussing entropy, MD5#, or different types of password attacks to a non-technical person it's difficult to convince them to go much further past 6 characters.
If the password is, for instance a screen saver password, then it's probably sufficient that it not be written down- screen saver passwords generally protect against other people using the computer, and the "too difficult to remember" password will be written down (under keyboard, on monitor, under mousepad, in desk drawer...) and not protect from that kind of attack. Non-obvious passwords for local access don't really need to be "stronger" than being not obvious. Network/remote passwords really need the extra bits and non-wordiness if they, or their hashes are on the network or in a file that's not very well protected.
Think of it this way. Most PIN Numbers for banks to take money out of an electronic teller is 4 Digit's, and I can't remember the last time I was forced to change this PIN code...
PINs are set this way because banks don't want to pay support costs for lost/forgotten PINs, *NOT* because 4 digits are secure. Generally, PINs also require a physical card and physical access (though weak, the cards are stronger than a typical username.) IT departments should also think about support costs before going to difficult passwords- pass phrases might be a better choice if the input mechanism allows longer series of characters- though an educated attacker may be able to narrow the search space if the system truncates at a certain length. Personally, I prefer two factor hardware tokens for critical access, and encrypted tunnles for anything else, though that's not always possible. If you want to convince them, show them the time difference in brute forcing 6 characters vs (pick your ideal number) on a typical PC. Make sure they understand that dictionary attacks take the strength out of longer passwords. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: strong passwords (was Radius/MS ISA stuff) Daniel Djundjek (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Paul Robertson (Jul 08)
- Re: strong passwords (was Radius/MS ISA stuff) George W. Capehart (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Bill Royds (Jul 09)
- <Possible follow-ups>
- RE: strong passwords (was Radius/MS ISA stuff) Behm, Jeffrey L. (Jul 09)