nanog mailing list archives

Re: AD and enforced password policies

From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 2 Jan 2012 22:34:45 -0600

On Mon, Jan 2, 2012 at 8:16 PM, Steven Bellovin <smb () cs columbia edu> wrote:

On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote:
OK -- let's let the set of punctuation be .,; and allow seven choices for
where
it goes.  That increases the work factor by 21 -- still not that large a
space
for someone with a good botnet.



Should an attacker get to the point of being able to mount a brute force
attack, with only character class and length requirements, that means they
have basically already won the battle for basic user level access  ---
user passwords do not have cryptographic strength,
he chance that some passwords are guessed is so high,  that you can
legitimately treat the probability that no passwords are discovered by an
informed attack is a 0% chance.

Assuming you have a policy of account lockout after multiple attempts;  the
fact they a brute force attack can be mounted,  indicates implementation of
your account lockout policy failed,  or the attacker stole the password
hashes.

If you have LANMAN hashes enabled or your passwords hashed with MD5
instead of PBKDF2 with 10000 or more rounds;   the attacker has the keys to
the kingdom,  they are almost certain to guess some passwords very quickly.

 Not all passwords are equally likely to be chosen by a human given the
task of setting their password.

How some luser is going to respond to password complexity:   pick a name or
standard dictionary word,  make the first letter capital,  append a single
digit or some well known number (such as the current year, a birthdate,
anniversary, address, SSN, or other known quantity),   add a  period or !
to the end,  to meet the punctuation mark requirement.

Eminently guessable by methods other than brute force.    It doesn't matter
that  10 different punctuation marks are actually available to  the user
---  human chosen passwords have low entropy,   you can anticipate the
average human has higher chance of picking certain punctuation  marks than
others,  based on where they are located on the keyboard,
and the user's level of familiarity with the punctuation mark.

~ and  _ may be valid choices;  but the average  english speaker is more
familiar with
! .  ,  ' ;  & +  -


--
-JH

Current thread:

Re: AD and enforced password policies, (continued)
- - - Re: AD and enforced password policies Todd Underwood (Jan 03)
    - Re: AD and enforced password policies Steven Bellovin (Jan 03)
    - RE: AD and enforced password policies Jones, Barry (Jan 05)
    - Re: AD and enforced password policies Gary Buhrmaster (Jan 03)
    - Re: AD and enforced password policies Jimmy Hess (Jan 03)
    - Re: AD and enforced password policies Måns Nilsson (Jan 04)
  - Re: AD and enforced password policies Gary Buhrmaster (Jan 02)
    - Re: AD and enforced password policies Steven Bellovin (Jan 02)
    - Re: AD and enforced password policies Lyndon Nerenberg (Jan 02)
    - Re: AD and enforced password policies Steven Bellovin (Jan 02)
    - Re: AD and enforced password policies Jimmy Hess (Jan 02)
    - Re: AD and enforced password policies Jared Mauch (Jan 03)
- Re: AD and enforced password policies Nick Hilliard (Jan 02)