Security Basics mailing list archives

RE: Length vs Complexity

From: Joachim Thuau <Joachim.Thuau () heavy-iron com>
Date: Thu, 16 Sep 2010 12:49:59 -0700

What should be communicated is that the password needs to be set in such a way as to make attempts at brute-forcing the
password take more time. So you end up with longer passwords that STATISTICALLY take longer to crack. Passwords with
complex structures (non-dictionary words) will also take longer to crack (STATISTICALLY). Those are hard to quantify,
as you have neither the algorithms or the configurations being used for the attack. All you can do is "guess".

Attackers often go for the low hanging fruits, because they expect users to go for convenience (password with the name
of the dog, birthdates). Attackers are also eager to get in. They will look at passwords and their probability of
occurrence. Dictionary words and guessable passwords are very likely (beside most security officers efforts) and will
be tried first. It all depends on how the attacker perceives the complexity. How is the dictionary attack setup? is it
just a bunch of words tried and combinations of words, are they going to try "leet permuations" (replacing certain
letters with numbers/symbols)? It is likely that they will try those before some total random characters... how likely?
That's the real question...

It's all probability, statistics, and neither of those are really easy to handle...

And start using token authentication systems, and you make it harder for the attacker yet...
(that makes the password time sensitive, and a moving target...)

Jok

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Length vs Complexity Mike Razzell (Sep 16)
- Re: Length vs Complexity Ansgar Wiechers (Sep 16)
- RE: Length vs Complexity David Gillett (Sep 16)
- Re: Length vs Complexity p8x (Sep 16)
  - Re: Length vs Complexity Jeffrey Walton (Sep 20)
- Re: Length vs Complexity Walter Goulet (Sep 16)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Message not available
    - Re: Length vs Complexity Walter Goulet (Sep 17)
  - Re: Length vs Complexity Roger (Sep 17)
- RE: Length vs Complexity Joachim Thuau (Sep 17)
  - Re: Length vs Complexity John Morrison (Sep 20)
- <Possible follow-ups>
- RE: Length vs Complexity Pankaj (Sep 16)
  - Re: Length vs Complexity Roger (Sep 16)
- RE: Length vs Complexity ron (Sep 16)