Re: Secure Password Policy?

["Thor (Hammer of God)" <thor () hammerofgod com>]

Just to chime in (not necessarily in response to your post Mike, just using 
this as my response entry)

There really isn't a "best practice" to password length in generic terms. 
Without a corresponding protocol and authentication model, there isn't much 
value in assigning some arbitrary length to a password.  Generally, the 
longer the better, but it all depends on how the password is being stored 
and/or transmitted.

Passwords sent via SMTP, POP3, HTTP (basic), etc can be any length and it 
won't matter as they are transmitted in the clear (HTTP basic being Base64). 
Passwords stored or sent in LM can be up to 14 characters, but the password 
is stored as two independent 7 character hashes. (Someone posted about 8 and 
13-- you were close ;)   LM hashes are cracked in seconds.  But the same 
password authenticated on the wire via NTLM is far more secure.

If one gets access to the SAM on Windows box, then the password hash is 
stored in both LM and NTLM for compatibility reasons.  This can be turned 
off via registry (or by having a password > 14 characters in Win2k+) but if 
you don't do that and someone has access to an unencrypted SAM, they can 
attack with LM cracks.

Then again, even with a 14 character NTLM password, rainbow table attacks 
(or brute force attacks with the right equipment) can be successful in very 
short periods of time. By contrast, a 6 character password authenticated 
over NTLMv2 cannot be cracked via rainbow tables as domain/user information 
is used during the negotiation as opposed to the password hash in 
singularity.

I used to go for "complex" passwords and such, but for the last several 
years (ever since Win2k allowed you to have 128 char pwd) I've gone for 
simple, but long passphrases.  As stated earlier, in general, the longer the 
better.  Some people think that "1*&ZdhfA" is secure, and it can be in the 
right model, but user's won't remember that.  Something like "I hate my boss 
and want him to burst into flames" is much better, and about impossible to 
crack with current methods (unless sent unsecured over the network.)

So, in short, "it all depends."  ;)
t


-----
"I'll see your Llama and up you a Badger."
John T



----- Original Message ----- 
From: "Mike Harlan" <mike () spacedata biz>
To: <pen-test () securityfocus com>
Sent: Thursday, January 19, 2006 10:06 AM
Subject: FW: Secure Password Policy?


> I believe that the 6-8 rule is in place because it would take an extremely
> long time (or lucky guess) to crack the password at this length. 
> Especially
> when used with the other recommended practices (uppercase, lowercase,
> special characters, numbers).  Also, remember that we have to put forth as
> much effort to protect our info as we think that it is worth to us or our
> customers.
>
> -----Original Message-----
> From: Sulaiman, Wilmar [mailto:wsulaiman () siddharta co id]
> Sent: Thursday, January 19, 2006 5:12 AM
> To: pen-test () securityfocus com
> Subject: Secure Password Policy?
>
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is 
> either
> 6 or 8 characters. I guess SANS institute considered a weak password if it
> is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8 characters).
> Is there any documentation to backup it up why the best practice for 
> minimum
> password length is set to 6?
>
> Wilmar Sulaiman
> Risk Advisory Services
> KPMG Siddharta Siddharta & Widjaja
> 32nd Floor, GKBI Building
> 28, Jl. Jend. Sudirman
> Jakarta 10210, Indonesia
> J : +62 (0) 21 574 2333
> Fax : +62 (0) 21 574 1777
>
> **********************************************************************
> The information in this e-mail is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this e-mail
> by anyone else is unauthorized. If you have received this communication in
> error, please address with the subject heading "Received in error," send 
> to
> postmaster () siddharta co id, then delete the e-mail and destroy any copies 
> of
> it. If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken in reliance on it, is prohibited and may 
> be
> unlawful. Any opinions or advice contained in this e-mail are subject to 
> the
> terms and conditions expressed in the governing Siddharta Siddharta &
> Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
> conclusions and other information in this e-mail and any attachments that 
> do
> not relate to the official business of the firm are neither given nor
> endorsed by it.
>
> Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot guarantee 
> that
> e-mail communications are secure or error-free, as information could be
> intercepted, corrupted, amended, lost, destroyed, arrive late or 
> incomplete,
> or contain viruses.
>
> Siddharta Siddharta & Widjaja - Registered Public Accountants, registered 
> in
> Indonesia, is a member firm of KPMG International. PT Siddharta 
> Consulting,
> a limited liability company registered in Indonesia, is a member firm of
> KPMG International. KPMG International is a Swiss cooperative of which all
> KPMG firms are members. KPMG International provides no professional 
> services
> to clients. Each member firm is a separate and independent legal entity 
> and
> each describes itself as such.
>
> This footnote also confirms that this e-mail message has been swept by
> MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com
> for more information.
> **********************************************************************
>
>
> ----------------------------------------------------------------------------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
> are
> futile against web application hacking. Check your website for
> vulnerabilities to SQL injection, Cross site scripting and other web 
> attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------------
> ---
>
>
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
> are
> futile against web application hacking. Check your website for 
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before 
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------