RE: ADS Password Storage Protection

[Harold Winshel <winshel () camden rutgers edu>]

Roger,

Thanks for the great detailed answer.

Regarding the shorter complex passwords, my understanding is that the 
reason many organizations recommend a complex password but only up to 
8 characters long is because many unix systems don't support a 
password longer than that.  And the organizations don't want to tell 
the users to use an 8-character password for their unix systems but 
to use 15 characters for their Windows systems.  So they keep it 
simple and just one have short (8 character) password policy.

And if the password is only going to be 8 characters, it needs to be 
complex for dictionary attack and other similar reasons.

For purposes of a password policy for windows users - if I understand 
your comments - we would suggest a 15-character minimum password, and 
it can be a passphrase, but we should try to make it something that 
wouldn't appear in some body of work that would be a candidate for 
digitizing for purposes of a password attack.

I'm not suggesting that it needs to be a phrase that never appeared 
in any book or newspaper or magazine or any periodical in the history 
of the world.  But if I wanted to pick out two or three books that I 
would not want the passphrase to appear in, I would exclude a popular 
book of quotes (such as Bartlet's Book of Quotations).

Given that, would you think that changing just one or two characters 
of a passphrase would make it a strong passphrase.  For instance:

Frankly, my dear, I don't give a damn.

Frankly, my d*ar, I don't give a damn.

For protection against a passphrase attack, I would hope that the 
second passphrase would make it a much stronger passphrase.

A passphrase that is a real phrase would make it easier for users to 
remember their password, but if it could be made much stronger by 
changing only one character it would be less of a burden on the users 
to remember.

I appreciate your thoughts.

Thanks,

Harold


08:49 PM 7/20/2006, Roger A. Grimes wrote:
> There isn't any publicly domain software that specifically attacks
> passphrases that I know of, but creating a tool like that should be
> almost trivial for a regular programmer. It could be scripted with a few
> dozen lines of code. The program would use a password dictionary and
> treat each word as character, and apply varying combinations of those
> words, in different forms, in varying cases, along with spaces and other
> symbols to create one longer password that is then hashed and compared.
>
> But if one was created, mathematically, a passphrase only using words
> would suddenly become much weaker than bruteforcing each character
> alone. Several researchers and thinkers have concluded that a typical
> passphrase containing only whole words would be less secure than a much
> shorter, more complex password. And I support this idea completely.
>
> But there aren't tools like this in the public domain, and there is no
> way to guarantee real complexity on shorter passwords. Since the vast
> majority of people will use a much smaller character set than is
> available for them to use, the effective security of a shorter password
> becomes equivalent to how smart the brute force/dictionary cracker is in
> its hybrid attack.  My my experience, John the Ripper and Cain can both
> be configured to guess on much smaller character sets than the password
> administrators think users are availing themselves of, and hence their
> shorter password aren't that much complex, just shorter.
>
> I hate that if I want to use a 30 character long password/passphrase,
> which would be much more difficult to break than a 6 character "complex"
> password, that nearly every system requires that I input "complexity"
> into my already uncrackable password.
>
> -----Original Message-----
> From: Harold Winshel [mailto:winshel () camden rutgers edu]
> Sent: Thursday, July 20, 2006 8:08 PM
> To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com
> Subject: RE: ADS Password Storage Protection
>
> Roger,
>
> Just to clarify, when I mention password cracking, I'm strictly
> referring to passwored cracking software.
>
> You make good points but, for purposes of discussion I'm excluding
> protection against shoulder surfing or people trying to manually guess a
> password.
>
> So, if I understand your answer - strictly in terms of a brute force
> attack - any given 15-character password would be just as strong as any
> other 15-character password.
>
> If that's the case, then I go back to one of my original questions,
> which is whether there is such a thing as a passphrase attack.  I am not
> knowledgeable about password cracking software but it strikes me as
> something that should be easy to include in a password cracking program.
>
> Harold
>
>
> At 09:14 AM 7/20/2006, Roger A. Grimes wrote:
> >Yes, as long as I didn't know that was your password.
> >
> >To second my yes, most password crackers don't guess sequentially, they
>
> >guess randomly (birthday attack theory), so it's not even like
> >aaaaaaaaaaaaa would come be guaranteed to up first before
> >5adf,nasa73@#$. A dictionary attack would fail, so only brute force or
> >luck could find it.
> >
> >I think it would be a strange logon, easy to recreate, for someone
> >shoulder surfing though.
> >
> >-----Original Message-----
> >From: Harold Winshel [mailto:winshel () camden rutgers edu]
> >Sent: Thursday, July 20, 2006 6:17 AM
> >To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com
> >Subject: RE: ADS Password Storage Protection
> >
> >Please correct me if I'm wrong.  If length is the tool for a secure
> >windows passphrase then, in theory, a password of "aaaaaaaaaaaaaaa"
> >should be just as strong as a 15-character password consisting of
> >random characters?
> >
> >Thanks,
> >
> >
> >
> >At 02:55 PM 7/18/2006, Roger A. Grimes wrote:
> > >My conjecture is that franklyidon'tgiveadamn is pretty uncrackable as
>
> > >well. No complexity, but length prevents it from being easily
> > >broken...non-trivial.  Pull out the complexity and the length is
> > >still insurmountable in most cases.
> > >
> > >If you don't believe that then break my 123456789012345 length, no
> > >complexity challenges.
> > >
> > >-----Original Message-----
> > >From: Depp, Dennis M. [mailto:deppdm () ornl gov]
> > >Sent: Tuesday, July 18, 2006 8:36 AM
> > >To: winshel () camden rutgers edu; security-basics () securityfocus com
> > >Subject: RE: ADS Password Storage Protection
> > >
> > >The phrase you gave, "frankly, my dear, I don't give a damn" meets
> > >most
> >
> > >definitions of complexity.  I has upper and lower case letters and
> > >special characters.
> > >
> > >Dennis
> > >
> > >-----Original Message-----
> > >From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu]
> > >Sent: Saturday, July 15, 2006 12:25 AM
> > >To: security-basics () securityfocus com
> > >Subject: Re: RE: ADS Password Storage Protection
> > >
> > >I've read and heard many sources say this same thing, i.e., that, for
>
> > >windows systems, length is stronger than short and complex.  And that
>
> > >a
> > >15 character or longer password can be a real phrase and it will be a
>
> > >secure password.
> > >
> > >
> > >I can see why a long password that consists of a real phrase - such
> > >as "frankly, my dear, I don't give a damn" - would be just as secure
> > >as an
> >
> > >equally long complex password, in terms of protection against a brute
>
> > >force attack.
> > >
> > >
> > >I don't know much about password cracking programs but am surprised
> > >that, while they would be working  on a brute force attack, they
> > >wouldn't be able to try a lot of commonly-used phrases at the same
> >time.
> > >
> > >
> > >If some password cracking programs can use a dictionary attack,
> > >couldn't there also be something called a passphrase attack?  Would
> > >it be difficult for a password cracker to digitize Bartlett's Book of
>
> > >Quotations and include that in an attack on a password?
> > >
> > >---------------------------------------------------------------------
> > >--
> > >-
> > >---
> > >This list is sponsored by: SensePost
> > >
> > >Hacking, like any art, will take years of dedicated study and
> > >practice to master. We can't teach you to hack. But we can teach you
> > >what we've learned so far. Our courses are honest, real, technical
> and practical.
> > >SensePost willl be at Black Hat Vegas in July. To see what we're
> > >about,
> >
> > >visit us at:
> > >
> > >http://www.sensepost.com/training.html
> > >---------------------------------------------------------------------
> > >--
> > >-
> > >---
> > >
> > >
> > >---------------------------------------------------------------------
> > >--
> > >-
> > >---
> > >This list is sponsored by: SensePost
> > >
> > >Hacking, like any art, will take years of dedicated study and
> > >practice to master. We can't teach you to hack. But we can teach you
> > >what we've learned so far. Our courses are honest, real, technical
> and practical.
> > >SensePost willl be at Black Hat Vegas in July. To see what we're
> > >about,
> >
> > >visit us at:
> > >
> > >http://www.sensepost.com/training.html
> > >---------------------------------------------------------------------
> > >--
> > >-
> > >---
> >
> >Harold Winshel
> >Computing and Instructional Technologies Faculty of Arts & Sciences
> >Rutgers University, Camden Campus
> >311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
> >(856) 225-6669 (O)
>
> Harold Winshel
> Computing and Instructional Technologies Faculty of Arts & Sciences
> Rutgers University, Camden Campus
> 311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
> (856) 225-6669 (O)

Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------