RE: passwords

["Tim V - DZ " <iceburn () dangerzone com>]

Yes, no,....yes...no. 

You definitely need 'strong' passwords.  And they definitely need to be
changed on some time basis.  The complexity of the password and the time
length and schedule of changing depends on the environment.  Are you
protecting Top Secret Data or a single computer containing family
recipes? 

Passwords are a hot topic and I'm sure that not only have you gotten
tons a mail, but the moderator has surely filtered much sent to the list
out.  Here are some core reasons followed by some links that can help
you make your own decisions about security.

Complexity:  length and containing characters like 0-9 or #$%&^*@# etc
Reasoning:   longer strings and increases search space makes 'guessing'
or brute forcing a password harder.  If it's only alphabetic each
character adds a power of 26 tries, if you add numbers each character
adds 36, etc.  Using non dictionary words reduced the chance or a
dictionary based attack (its easier to guess all the words in a
dictionary than all the character combinations).   In most cases length
only matters to a certain point, most systems will take short passwords
and pad them to a certain length, and likewise take long passwords and
chop off the extra characters to make them a certain length.

Changing:  this is a more interesting topic.  The complexity depends on
the system (implementation) and the risk (what you are protecting).  The
Changing of the password is more about policy.  If you are preventing a
'brute force' attack, you might fund a study that shows on average a
sufficiently complex password takes 100 days to 'break' or 'guess.'  In
that case you might set a policy that requires users to change the
password every 90 days.  But also, how computer-savvy is your user base?
If you make users change it too often, you'll end up with users that
choose very complex passwords like "afd*&^Dfh33" but then write on a
POST-IT note and put it on their monitor or under the keyboard -
obviously something we don't want to happen.  Do you even want to have
them change on a reqular basis?  Generally the more information that a
"Bad Guy" knows, the better his odds are.  If he knows that you are
going to change your password next Tuesday, because he knew you changed
it 67 days ago, he can start to mount a much more targeted Social
Engineering attack.

Anyway, I guess the answer is yes...no wait no...well "it depends."

-tim

http://www.sans.org/rr/authentic/sec_access.php
http://www.cert.org/tech_tips/unix_configuration_guidelines.html
http://www.sans.org/top20/#W7
http://www.microsoft.com/security/articles/password.asp  ;-)
http://www.cnn.com/2002/TECH/ptech/03/13/dangerous.passwords/


-----Original Message-----
From: ullmic6 () web de [mailto:ullmic6 () web de] 
Sent: Monday, February 17, 2003 1:02 PM
To: security-basics () securityfocus com
Subject: passwords

Hello all,

one of the favorite subjects in my company seems to be the strength of
passwords. We force our users to change their mail password every 90
days.
Does this make sense? Why?

--
ullmic