Educause Security Discussion mailing list archives
Re: Password policy
From: "Crawford, Tim M." <tcrawford () GSB STANFORD EDU>
Date: Wed, 1 Nov 2006 15:22:08 -0800
So, just to chime in here, we had to do some research on the subject last Fall. Administrative Passwords At the time, we were using a highly complex password that was 12 characters long. As it turned out, we found that those passwords could be cracked in a matter of minutes. We even had Microsoft's core security group stumped. Within a day, we found out why. We found that for $500, you could purchase a new rainbow table off the Internet that was able to crack 14 character passwords. Sure enough, we opted to move to a much larger password that includes not just keyboard characters, but ASCII characters too. Is this onerous? Yes, unfortunately it is. User Passwords We're currently looking at ways to address this within our user community. While we are quite a ways from coming to a solution, I would venture that biometrics and onerous passwords will not be options for different reasons. It will most likely include some combination of alpha-numeric characters, time requirements for changing and cycle prevention mechanisms (to prevent re-use of passwords). Again, that is just a guess on my part for now. Tim ______________________________________ Tim M. Crawford Associate Director, IT Operations Stanford Graduate School of Business 650.724.2447 tcrawford () gsb stanford edu <blocked::mailto:tcrawford () gsb stanford edu> ________________________________ From: Jim Dillon [mailto:Jim.Dillon () CUSYS EDU] Sent: Wednesday, November 01, 2006 3:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy And if you use only the 26 lower case characters, but require a 20 character passphrase you get 26^20th, a significantly larger number (see table below), the windows calculator tells me it is 19,928,148,895,209,409,152,340,197,376. At a certain password length point (around 16 or 17 characters) length becomes much more deterministic than even the variety of characters in the complete ascii set. This was proven to me at a recent SANS training course on Windows Security and is an interesting consideration as you author your own policies and options. I always suggest a passphrase for WinZip for this reason as there are no restrictions to attempts at breaking a WinZip password. Adding a few seconds delay on an online system between attempts neutralizes the ability of a guessing/cracking program to try unlimited guesses and accomplishes this much more efficiently I think. You have to look at the whole picture. Of course the protectiveness of passwords is moot when faced with keyboard loggers and other forms of input trapping. Just part of the puzzle. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** ________________________________ From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] Sent: Wednesday, November 01, 2006 2:49 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Password policy Hi: I guess I will chime in on why passwords should have an expiration time/date. Brute force attacks take time --> given enough time any password can be broken and discovered --> by forcing a change periodically you make any targeted brute force attacker start over. How long does it take? The chart below gives an idea: If you only use words from a dictionary or a purely numeric password, a hacker only has to try a limited list of possibilities. A hacking program can try the full set in under one minute. If you use the full set of characters and the techniques above, you force a hacker to continue trying every possible combination to find yours. If we assume that the password is 8 characters long, this table shows how many times a hacker may have to before guessing your password. Most password crackers have rules that can try millions of word variants per second, so the more algorithmically complex your password, the better. Character sets used in password Calculation Possible Combinations Dictionary words (in english): (It is debatable but lets generously say ~600,000 words) -- 600,000 Numbers only 10^8 100,000,000 Lowercase Alpha set only 26^8 208,827,064,576 Full Alpha set 52^8 53,459,728,531,456 Full Alpha + Number set 62^8 218,340,105,584,896 Full set of allowed printable characters set: (10+26+26+19)^8 645,753,531,245,761 -Kevin Kevin L. McLaughlin CISSP, PMP, ITIL Master Certified Director, Information Security University of Cincinnati 513-556-9177 (w) 513-703-3211 (m) mclaugkl () ucmail uc edu CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential, intended solely for the addressee, and may be legally privileged. Access to this message and its content by any individual or entity other than those identified in this message is unauthorized. If you are not the intended recipient, any disclosure, copying or distribution of this e-mail may be unlawful. Any action taken or omitted due to the content of this message is prohibited and may be unlawful. ________________________________ clip history...
Current thread:
- Re: Password policy, (continued)
- Re: Password policy Gary Flynn (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Gene Spafford (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Mclaughlin, Kevin L (mclaugkl) (Nov 01)
- Re: Password policy Kevin Shalla (Nov 01)
- Re: Password policy Daniel R Jones (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Crawford, Tim M. (Nov 01)
- Re: Password policy Bob Kehr (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Jim Dillon (Nov 01)
- Re: Password policy Geoff Nathan (Nov 01)
- Re: Password policy Jeff Kell (Nov 01)
- Re: Password policy Harold Winshel (Nov 01)
- Re: Password policy Mike Wiseman (Nov 02)
- Re: Password policy Gary Flynn (Nov 02)
- Re: Password policy Penn, Blake (Nov 02)
- Re: Password policy Mike Wiseman (Nov 02)
(Thread continues...)