Security Basics mailing list archives
RE: Suggested "safe" password length
From: "Ben Cain" <burntcircuit () phreaker net>
Date: Mon, 17 Nov 2003 12:51:02 -0500
as i recall ashish stated that he was running linux with MD5 hashing. if this is indeed the case then the seven char block thing is incorrect... were he ruunning on a windowsserver of some form this would be true and is part of the inharent flaw of windows security... but as he is running linux it is not an issue my personal preferance on secure passwording is 6char for the standard user, 8char for wheel users (or the equivilant of) and 12 for the root user this is just a guideline for standard production servers, high risk users or systems should use something more extream -----Original Message----- From: JohnNicholson () aol com [mailto:JohnNicholson () aol com] Sent: Friday, November 14, 2003 16:27 To: mike () genxweb net; "'Ashish Sharma'"; security-basics () securityfocus com Subject: RE: Suggested "safe" password length I think this is correct. As I understand it, the password encryption function breaks passwords into 7-character blocks before encrypting them. The impact of this is that for an 8-character password you end up with two blocks - one 7 characters and one 1 character, each encrypted with the same function. Breaking the encryption on the single character is trivial, and then you know how to break the encryption on the 7 character remainder. By inference, no attack should ever need to break more than a 7-character string (because having broken one means you have the key to break the others), and having multiple 7-character strings just gives an attacker 2 (or more) chances to hit a combination using a brute force attack. So, I think the best length is 7-characters, using non-dictionary combinations that include special characters. At least, this is the theory I've been using. If I'm wrong, I hope someone will let me know so I can change paradigms. John In a message dated 11/13/2003 11:37:03 PM Eastern Standard Time, "Michael LaSalvia" <mike () genxweb net> writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Many people say 8 or more but I have read some where that multiples of 7 are the best to use. It may have been in a class or something I heard that. - -----Original Message----- From: Ashish Sharma [mailto:ashishs () iitg ernet in] Sent: Thursday, November 13, 2003 3:06 AM To: security-basics () securityfocus com Subject: Suggested "safe" password length Hi, I wanted to have an idea about what should be the suggested range of password lengths and if there is any upper bound. I was told that there is a range upto which your password is encrypted and beyond which the characters are futile. I work on a linux environment with md5 encryption of passwords enabled. TIA Ashish
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re[2]: Suggested "safe" password length, (continued)
- Re[2]: Suggested "safe" password length Vishal (Nov 20)
- Re: Suggested "safe" password length Anders Reed-Mohn (Nov 20)
- Re[2]: Suggested "safe" password length Vishal (Nov 21)
- Re: Suggested "safe" password length Hollis Johnson (Nov 17)
- Re: Suggested "safe" password length Alessandro (Nov 16)
- Re: Suggested "safe" password length Tomas Wolf (Nov 17)
- Re: Suggested "safe" password length Steve (Nov 17)
- Re: Suggested "safe" password length Patrick M Darienzo Jr (Nov 16)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length JohnNicholson (Nov 16)
- RE: Suggested "safe" password length Ben Cain (Nov 17)
- RE: Suggested "safe" password length dave kleiman (Nov 17)
- RE: Suggested "safe" password length Smith, KC (Nov 16)
- Re: Suggested "safe" password length Simon Gray (Nov 17)
- RE: Suggested "safe" password length Chris Berry (Nov 17)
- Re: Suggested "safe" password length Rodrigo Otaviano (Nov 17)
- RE: Suggested "safe" password length Inlow, Richard N (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- RE: Suggested "safe" password length CHRIS GRABENSTEIN (Nov 17)
- Re[2]: Suggested "safe" password length Vishal (Nov 17)
- RE: Suggested "safe" password length Kenneth Buchanan (Nov 18)