Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Suggested "safe" password length

From: "Ben Cain" <burntcircuit () phreaker net>
Date: Mon, 17 Nov 2003 12:51:02 -0500
as i recall ashish stated that he was running linux with MD5 hashing. if
this is indeed the case then the seven char block thing is incorrect... were
he ruunning on a windowsserver of some form this would be true and is part
of the inharent flaw of windows security... but as he is running linux it is
not an issue

my personal preferance on secure passwording is 6char for the standard user,
8char for wheel users (or the equivilant of) and 12 for the root user

this is just a guideline for standard production servers, high risk users or
systems should use something more extream

-----Original Message-----
From: JohnNicholson () aol com [mailto:JohnNicholson () aol com]
Sent: Friday, November 14, 2003 16:27
To: mike () genxweb net; "'Ashish Sharma'";
security-basics () securityfocus com
Subject: RE: Suggested "safe" password length


I think this is correct.

As I understand it, the password encryption function breaks passwords into
7-character blocks before encrypting them. The impact of this is that for an
8-character password you end up with two blocks - one 7 characters and one 1
character, each encrypted with the same function. Breaking the encryption on
the single character is trivial, and then you know how to break the
encryption on the 7 character remainder.

By inference, no attack should ever need to break more than a 7-character
string (because having broken one means you have the key to break the
others), and having multiple 7-character strings just gives an attacker 2
(or more) chances to hit a combination using a brute force attack.

So, I think the best length is 7-characters, using non-dictionary
combinations that include special characters.

At least, this is the theory I've been using. If I'm wrong, I hope someone
will let me know so I can change paradigms.

John



In a message dated 11/13/2003 11:37:03 PM Eastern Standard Time, "Michael
LaSalvia" <mike () genxweb net> writes:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Many people say 8 or more but I have read some where that multiples
of 7 are the best to use. It may have been in a class or something I
heard that.

- -----Original Message-----
From: Ashish Sharma [mailto:ashishs () iitg ernet in]
Sent: Thursday, November 13, 2003 3:06 AM
To: security-basics () securityfocus com
Subject: Suggested "safe" password length

Hi,
I wanted to have an idea about what should be the suggested range of
password lengths and if there is any upper bound.
I was told that there is a range upto which your password is
encrypted
and beyond which the characters are futile. I work on a linux
environment
with md5 encryption of passwords enabled.
TIA
Ashish




---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: