Security Basics mailing list archives
RE: Minimum password requirements
From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Fri, 23 Jul 2004 10:25:41 +0100
I've seen a couple of these posts, and I already replied before saying I thought this was unnecessary, so I'm not trying to pick on you specifically. But can someone please give me a real-world example where changing passwords routinely has had any measurable benefit (yes, I know it may be impossible to show examples of stopped intrusion attempts--but even coming up with a realistic hypothetical that does not involve an attacker who bruteforces at a rate of one password a month is difficult)? In this example you give above, the attacker could just as well happen upon your password first--assuming it takes 4 months to try every password, his average time to success will be half that (two months); even if you make your timeout two months, 25% of the time he'll get it in 1. Now let's think about this from a more accurate perspective. Assuming an attacker randomly tries passwords (the chances of him brute-forcing *every single possible password* in linear order are minimal; assuming 8 character passwords guessed at 1 per second, we're talking years here), changing the password does not significantly help your chances. The benefit here is by whether he can guess with replacement or without (as in, should he guess another random password, or a random password that he hasn't already guessed--can he narrow his guessing set?). So 8 character alphanumeric, caps and lower, gives us 218340105584896 possible passwords. At one per second, over a 30 day period, going non-stop (and if your logs don't catch *this*, you should think twice), he guesses 2592000 passwords. So if he's allowed to assume no guessing the same password twice--i.e. that you don't cycle your passwords regularly--he can better his odds from 1/218340105584896 to 1/218340102992896. Not a significant change. In fact, so insignificant that if *I* were the attacker, I wouldn't bother keeping track of passwords I'd guessed. So does this make you safer against brute forcing? Perhaps a very small amount. Now, the majority of intrusions: brute forces? Dictionary attacks? Exploit of known vulnerabilities? Or insider jobs? The last three are serious concerns; the first, in my opinion, is not nearly as much so. Brute forcing is deterrable with authorized log-in domains (allow customers to log in only from their domains), failed-timouts, effective logging (not to hard to notice thousands of failed attempts; letting a single or two failures slip by is perfectly excusable), but perhaps never will be stopped. Big deal. Yet if we force users to change their passwords all the time, they'll likely write them down on post-its, or some other place, making them easily found by a coworker or anyone else in the area. They'll also be frustrated and forget it a lot, increasing our workload in making us reset their passwords often. And they won't be as productive using our systems, which, really, defeats the whole purpose of those systems. Weak passwords are a serious problem, I agree. But when choosing your battles, timeout policies just aren't worth the effort to you, to your users, or to anyone else.
This is a tricky one... I'm not a big fan of enforced password expiration as the majority of non-tehnical users have great difficulty coping with it and either use a predictable sequence (numeric iteration etc) or just resort to the post-it on the monitor approach. The only real thing I can see in favour of it is that in many cases it can be very hard to know for certain wether a password has been comprimised or not. Even on systems where the credential usage is logged if the intruder is clever it would take a fairly detailed audit to differentiate the unwanted logins from the normal ones. regards, Andrew --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Minimum password requirements, (continued)
- RE: Minimum password requirements Wesley Troy Scott (Jul 19)
- RE: Minimum password requirements Ruiz Cifuentes, Rolando (Jul 20)
- RE: Minimum password requirements Ferino Mardo (Jul 21)
- Re: Minimum password requirements Hamish Stanaway (Jul 21)
- Re: Minimum password requirements dmargoli (Jul 22)
- Re: Minimum password requirements Steve (Jul 23)
- Re: Minimum password requirements dmargoli (Jul 23)
- RE: Minimum password requirements Dave Dyer (Jul 26)
- Re: Minimum password requirements Ansgar -59cobalt- Wiechers (Jul 26)
- RE: Minimum password requirements Ed Spencer (Jul 26)
- Re: Minimum password requirements dmargoli (Jul 22)
- RE: Minimum password requirements Andrew Aris (Jul 23)
- RE: Minimum password requirements Jeremy Novak (Jul 26)
- Re: Minimum password requirements Jonathan Loh (Jul 26)
- Re: Minimum password requirements Gethin Jones (Jul 26)