Re: Password policy

[Bob Kehr <rskehr () UCDAVIS EDU>]

Given this...would it be better to require stronger passwords that might be
more difficult to memorize (and then might get written down), or temporarily
lock accounts after a number of successive incorrect passwords while
allowing weaker passwords that are easier to memorize? Under certain
circumstances, the later might take longer to crack, but carries with it the
risk of user DOS.

-Bob

  _____

From: Mclaughlin, Kevin L (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU]
Sent: Wednesday, November 01, 2006 1:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy



Hi:

I guess I will chime in on why passwords should have an expiration
time/date.



Brute force attacks take time --> given enough time any password can be
broken and discovered --> by forcing a change periodically you make any
targeted brute force attacker start over.   How long does it take?  The
chart below gives an idea:





If you only use words from a dictionary or a purely numeric password, a
hacker only has to try a limited list of possibilities. A hacking program
can try the full set in under one minute. If you use the full set of
characters and the techniques above, you force a hacker to continue trying
every possible combination to find yours.

If we assume that the password is 8 characters long, this table shows how
many times a hacker may have to before guessing your password.  Most
password crackers have rules that can try millions of word variants per
second, so the more algorithmically complex your password, the better.




Character sets used in password

Calculation

Possible Combinations


Dictionary words (in english):
(It is debatable but lets generously say ~600,000 words)

--

600,000


Numbers only

10^8

100,000,000


Lowercase Alpha set only

26^8

208,827,064,576


Full Alpha set

52^8

53,459,728,531,456


Full Alpha + Number set

62^8

218,340,105,584,896


Full set of allowed printable characters set:

(10+26+26+19)^8

645,753,531,245,761





-Kevin



Kevin L. McLaughlin

CISSP, PMP, ITIL Master Certified

Director, Information Security

University of Cincinnati

513-556-9177 (w)

513-703-3211 (m)

mclaugkl () ucmail uc edu









CONFIDENTIALITY NOTICE: This e-mail message and its content is confidential,
intended solely for the addressee, and may be legally privileged. Access to
this message and its content by any individual or entity other than those
identified in this message is unauthorized. If you are not the intended
recipient, any disclosure, copying or distribution of this e-mail may be
unlawful. Any action taken or omitted due to the content of this message is
prohibited and may be unlawful.



  _____

From: Geoff Nathan [mailto:geoffnathan () WAYNE EDU]
Sent: Wednesday, November 01, 2006 3:10 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password policy



Kellogg, Brian D. wrote:

A couple questions:



1.      Do most enforce password expirations?  I came from a large
corporation and they enforced a 90 day password expiration policy.  It
seemed to have the effect of making passwords less secure as most would
write them down in obvious places.

Something that nobody so far has touched is exactly what function an
expiration policy fulfills.  Remembering nine passwords is not merely
'inconvenient', it's cognitively challenging for normal people (those who
have difficulty memorizing arbitrary information).  So, if a password is
sufficiently complex to discourage brute force attacks (unless you're the
NSA, of course..), what is accomplished by making people change it?  If it
is compromised, it doesn't matter that it'll be changed in, say, four days
or four months.  I know lots of places have frequent change rules, but then
lots of places require 1 qt. zip lock bags (and will confiscate your liquids
if you use a gallon bag).  We have some choice here (unless the state
requires it), so maybe we can be a little rational in our security policies.



1.      

2.      Do most enforce a strong password policy?

As soon as we get the technology under control to do so we will.



1.      

2.      Any other recommendations/insights along this line would be helpful.








Thanks,



Brian






--
Geoffrey S. Nathan  <mailto:geoffnathan () wayne edu> <geoffnathan () wayne edu>

Faculty Liaison, Computing and Information Technology,<p>
and Associate Professor of English, Linguistics Program<p>
Phone Numbers (313) 577-1259 or (313) 577-8621<p>
Wayne State University<p>
Detroit, MI, 48202