Re: Password policy

[Kevin Shalla <kshalla () UIC EDU>]

Doesn't this assume that you've stolen the 
password file, so you can try breaking it on 
another machine?  Or are we trying to protect 
users from their own system managers?  How easy 
is it to steal the password file?

At 03:48 PM 11/1/2006, you wrote:
> Hi:
> I guess I will chime in on why passwords should 
> have an expiration time/date.
>
> Brute force attacks take time à given enough 
> time any password can be broken and discovered à 
> by forcing a change periodically you make any 
> targeted brute force attacker start over.   How 
> long does it take?  The chart below gives an idea:
>
>
> If you only use words from a dictionary or a 
> purely numeric password, a hacker only has to 
> try a limited list of possibilities. A hacking 
> program can try the full set in under one 
> minute. If you use the full set of characters 
> and the techniques above, you force a hacker to 
> continue trying every possible combination to find yours.
> If we assume that the password is 8 characters 
> long, this table shows how many times a hacker 
> may have to before guessing your password.  Most 
> password crackers have rules that can try 
> millions of word variants per second, so the 
> more algorithmically complex your password, the better.
>
> Character sets used in password
> Calculation
> Possible Combinations
> Dictionary words (in english):
> (It is debatable but lets generously say ~600,000 words)
> --
> 600,000
> Numbers only
> 10^8
> 100,000,000
> Lowercase Alpha set only
> 26^8
> 208,827,064,576
> Full Alpha set
> 52^8
> 53,459,728,531,456
> Full Alpha + Number set
> 62^8
> 218,340,105,584,896
> Full set of allowed printable characters set:
> (10+26+26+19)^8
> 645,753,531,245,761
>
>
> -Kevin
>
>
> Kevin L. McLaughlin
>
> CISSP, PMP, ITIL Master Certified
>
> Director, Information Security
>
> University of Cincinnati
>
> 513-556-9177 (w)
>
> 513-703-3211 (m)
>
> mclaugkl () ucmail uc edu
>
>
>
>
> []
>
>
> CONFIDENTIALITY NOTICE: This e-mail message and 
> its content is confidential, intended solely for 
> the addressee, and may be legally privileged. 
> Access to this message and its content by any 
> individual or entity other than those identified 
> in this message is unauthorized. If you are not 
> the intended recipient, any disclosure, copying 
> or distribution of this e-mail may be unlawful. 
> Any action taken or omitted due to the content 
> of this message is prohibited and may be unlawful.
>
>
>
> ----------
> From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU]
> Sent: Wednesday, November 01, 2006 3:10 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Password policy
>
> Kellogg, Brian D. wrote:
> A couple questions:
>
>    * Do most enforce password expirations?  I 
> came from a large corporation and they enforced 
> a 90 day password expiration policy.  It seemed 
> to have the effect of making passwords less 
> secure as most would write them down in obvious places.
> Something that nobody so far has touched is 
> exactly what function an expiration policy 
> fulfills.  Remembering nine passwords is not 
> merely 'inconvenient', it's cognitively 
> challenging for normal people (those who have 
> difficulty memorizing arbitrary 
> information).  So, if a password is sufficiently 
> complex to discourage brute force attacks 
> (unless you're the NSA, of course..), what is 
> accomplished by making people change it?  If it 
> is compromised, it doesn't matter that it'll be 
> changed in, say, four days or four months.  I 
> know lots of places have frequent change rules, 
> but then lots of places require 1 qt. zip lock 
> bags (and will confiscate your liquids if you 
> use a gallon bag).  We have some choice here 
> (unless the state requires it), so maybe we can 
> be a little rational in our security policies.
>
>    *
>    * Do most enforce a strong password policy?
> As soon as we get the technology under control to do so we will.
>
>    *
>    * Any other recommendations/insights along this line would be helpful.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
> --
> Geoffrey S. Nathan <mailto:geoffnathan () wayne edu><geoffnathan () wayne edu>
>
> Faculty Liaison, Computing and Information Technology,<p>
> and Associate Professor of English, Linguistics Program<p>
> Phone Numbers (313) 577-1259 or (313) 577-8621<p>
> Wayne State University<p>
> Detroit, MI, 48202