Penetration Testing mailing list archives
Re: Secure Password Policy?
From: "Stephen J. Smoogen" <smooge () gmail com>
Date: Thu, 19 Jan 2006 11:21:42 -0700
On 1/19/06, Sulaiman, Wilmar <wsulaiman () siddharta co id> wrote:
Dear all, I noticed that "best practice" for Minimum password length policy is either 6 or 8 characters. I guess SANS institute considered a weak password if it is less than 8 characters. I would like to know where they derived the number (6 and 8 characters). Is there any documentation to backup it up why the best practice for minimum password length is set to 6?
It was explained to me a long time ago that the numbers came from how long it takes to do a bruteforce attack against either a remote Unix server using DES hash (or doing the bruteforce against the hash without precompiled tables.) Each extra character increases the time for cracking exponentially. You would then have a forced password change time less than that would limit your risk . If the attacker has the password (and the password has to have a special character some amount of uppercase and lowercase) you can use the charts here http://www.mcgill.ca/ncs/products/security/understandpass/#time 68 character space (8E+06 hashes/sec) (1E+00 hashes/sec) letters seconds seconds 01 8.5E-06 6.8E+01 [ 1.0 m.] 02 5.8E-04 4.6E+03 [ 77.0 m.] 03 3.9E-01 3.1E+05 [ 3.6 d.] 04 2.7E+00 2.1E+07 [247.5 d.] 05 1.8E+02 1.4E+09 [ 46.1 y.] 06 1.2E+04 9.9E+10 [3.1E+03 y.] 07 8.4E+05 6.7E+12 [2.1E+05 y.] 08 5.7E+07 4.5E+14 [1.4E+07 y.] 09 3.9E+09 3.1E+16 [9.9E+08 y.] 10 2.6E+11 2.1E+18 [6.7E+10 y.] 11 1.8E+13 1.4E+20 [4.6E+12 y.] 12 1.2E+15 9.8E+21 [3.1E+14 y.] for a nondistributed attack. A distributed attack would be a power of 2 less time. per appropriate number of machines in the distribution. While it would seem that the time factor for a remote attack is significantly large at 5 letter password.. one needs to take into account to items. Number of hosts that can do the attack [ power of 2 attack] Number of hosts that the password can be tested against [power of 2 attack] In a network with large number of hosts running some sort of service that the password can be tested against you're time for finding a match is smaller and you can evade very stupid IDS because you can go slowly. The brute force attack can be made much more efficient by building a dictionary of common words, phrases, and adding various common additions (number 1 at the end, or for l, etc) I do not have numbers for how much more effective it is.. but I do know it can cut down a search-time tremendously -- Stephen J Smoogen. CSIRT/Linux System Administrator ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Secure Password Policy?, (continued)
- RE: Secure Password Policy? Lyal Collins (Jan 21)
- RE: Secure Password Policy? Petr . Kazil (Jan 23)
- Re: Secure Password Policy? List Spam (Jan 22)
- Re: Secure Password Policy? Neil (Jan 22)
- List of "clickable" on-line pen-test tools Petr . Kazil (Jan 23)
- Re: List of "clickable" on-line pen-test tools Ivan . (Jan 24)
- Re: List of "clickable" on-line pen-test tools Alvin Oga (Jan 25)
- Re: List of "clickable" on-line pen-test tools thomas springer (Jan 25)
- Message not available
- Re: List of "clickable" on-line pen-test tools FocusHacks (Jan 30)
- RE: Secure Password Policy? Lyal Collins (Jan 21)
- Re: List of "clickable" on-line pen-test tools thomas springer (Jan 24)
- Re: Secure Password Policy? Tim (Jan 21)
- Re: Secure Password Policy? Tim (Jan 21)
- "Ping scan" through Google Petr . Kazil (Jan 22)
- Re: "Ping scan" through Google -- Perl version for *NIX Peter Hille (Jan 22)
- Re: "Ping scan" through Google Robert Wesley McGrew (Jan 22)
- Re: "Ping scan" through Google pagvac (Jan 23)
- Re: Secure Password Policy? David M. Zendzian (Jan 22)
- Re: Secure Password Policy? Brian Anderson (Jan 22)