Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Mon, 24 Jul 2006 19:17:22 -0400
Theoretical password strength is X^L, where X is number of possible characters that can be used (i.e. complexity) and L is (max.) length of the password. Since L is the exponent, any change made to it is exponentially greater than a similar change in X. It's basic math. Lots of people are misinterpreting my statement. Character for character is a crucial part. My critics might say that in real life, X and L are normally implemented in different increments. When an administrator increases complexity, they add an entire set of new characters (say going from just lower case to upper and lower case letters)...so that X would go from 26 to 52 with a single requirement change. But if your users only use a limited set of characters (some studies say X=32+-n) regardless of the true max. size of X, then increases in L can quickly help offset the weakness of lower practical uses of X. So to correct my first sentence, to correctly calculate the password strength, X should be the number of possible characters in a password that would be used by most users-- to get your user's effective password strength. You can't ignore the fact that users are more likely to type in P@55w0rd than `~%^&*() as their password. Well, you can, but then it takes you longer to crack real passwords if you pen test for a living. One of the key statements I am promoting is that if you can't guarantee the entropy of X, and you can't in most cases, L becomes a bigger player than most people recognize in protecting real passwords. Now, yes, complexity added to any password or passphrase makes it stronger. I'm not doubting that. I can't doubt that. The math again. But systems should stop promoting complexity, which is falsely represented as stronger than it really is, while not considering the strength benefits of increased length. -----Original Message----- From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] Sent: Saturday, July 22, 2006 12:43 AM To: security-basics () securityfocus com Subject: Re: ADS Password Storage Protection On 2006-07-20 Roger A. Grimes wrote:
Here is my statement: That password length is a better defender of passwords than complexity, character for character, and that length should at least be given equal treatment when creating strong passwords.
I agree with the latter of your statement, but the former is plain wrong. Length and complexity are equivalent, i.e. you can increase either length or complexity (or both of course) to make a stronger password. That's pretty obvious if you think about e.g. base64-encoding a password: the encoding increases the length and decreases the complexity, but doesn't affect the strength at all. It's due to the physical limitations of keyboards that it's usually easier to increase the length than the complexity. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq ------------------------------------------------------------------------ --- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- AW: ADS Password Storage Protection Christian . Assfalg (Jul 21)
- <Possible follow-ups>
- AW: ADS Password Storage Protection Christian . Assfalg (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: ADS Password Storage Protection Ansgar -59cobalt- Wiechers (Jul 24)
- Re: ADS Password Storage Protection Michael Rice (Jul 25)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 25)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Re: AW: ADS Password Storage Protection Joe Barr (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- AW: ADS Password Storage Protection Christian . Assfalg (Jul 21)