Password Guessing Re: Passwords & Passphrases

[Gary Flynn <flynngn () JMU EDU>]

Martin Manjak wrote:
> This is a very timely topic from my perspective. We are moving to SSO
> via a portal and I'm trying to convince my colleagues that if we're
> going to continue to rely on single factor authentication, we need to
> move beyond 8 characters with mixed case and special characters. I would
> like to see us require a 15 character pass phrase which, in my view, is
> more secure (even without complexity), and both easier to type and
> remember.
>
> This is a tangential topic, but I was wondering if anyone on the list
> was familiar with brute force tools that would work against web forms.
> My concern is that without some kind of lock out policy, an account with
> a 8 character password would be vulnerable to a brute force attack.

Password guessing lockouts only address risk associated with online
attacks, not off-line attacks like Randy spoke of. Additionally, it
would appear that the probability of a successful online, brute force
guessing attack is pretty slim with a decent password and decent
monitoring. Accordingly, the risk associated with such an attack is
dwarfed by the risk of a denial of service attack, whether it be
malicious or accidental. This doesn't even take into account the
customer service issues.

I worked some figures up the other night to argue this point. Please
correct my assumptions and math if they are wrong:

Assume an 8 character password chosen from 26 lower case characters,
26 upper case characters, 10 numeric characters, and 12 punctuation
characters. That creates a set of 74 characters for each position
of the password.

An eight character password using that character set has 74^8 or
899,194,740,203,776 possible combinations. Lets call it 899 trillion.
(note 1)

To guess that many passwords over the network would require sending
899 trillion passwords x ( 8 bytes/password + 20 bytes/packetIPheader )
 x 8 bits/byte = 201,376 trillion bits. That doesn't include two way
acknowledgment packets or the packets containing the user name and
other overhead.

To send just that password data in 90 days would require a sustained
transmission rate of:

201,376 trillion / 90 days / 24hr / 60 min / 60 sec =
25,897 Megabits/sec.

If an organization allowed an attack to fully consume an OC3 155
Megabit Internet connection, it would take
201,376,000 billion/.155 billion = 1,299,200,000 seconds
or 41 years.

Those figures assume that the targeted systems are capable of
instantaneous response, won't be adversely affected by such a
high rate of activity, and nobody will notice. ( note 2 )

The math and simplicity associated with denial of service attacks
due to abuse of password lockouts is not nearly as comforting.


*********************************************************************
note 1
The actual number of combinations possible with 8 character long
passwords from a set of 74 characters is less than 899 trillion if
policies are present that reject combinations that form dictionary
words, account names, or otherwise insufficiently strong combinations.

Note that increasing the password length even one character to
nine increases the possible combinations from 899 trillion to
66,540 trillion. Increasing to a ten character password raises the
possible combinations to 4,923,990 trillion. A 14 character password
made up only of lower case letters contains 64,509,974 trillion
combinations. That is much stronger and possibly easier to remember,
explain, and support than a complex eight character password.


note 2
A much better anti-online password guessing mechanism without the
risk of denial of service attack and customer support issues is for
a system to delay between unsuccessful entries. But strong passwords
and decent monitoring should be sufficient.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature