Educause Security Discussion mailing list archives
Password Guessing Re: Passwords & Passphrases
From: Gary Flynn <flynngn () JMU EDU>
Date: Mon, 19 Nov 2007 16:06:00 -0500
Martin Manjak wrote:
This is a very timely topic from my perspective. We are moving to SSO via a portal and I'm trying to convince my colleagues that if we're going to continue to rely on single factor authentication, we need to move beyond 8 characters with mixed case and special characters. I would like to see us require a 15 character pass phrase which, in my view, is more secure (even without complexity), and both easier to type and remember. This is a tangential topic, but I was wondering if anyone on the list was familiar with brute force tools that would work against web forms. My concern is that without some kind of lock out policy, an account with a 8 character password would be vulnerable to a brute force attack.
Password guessing lockouts only address risk associated with online attacks, not off-line attacks like Randy spoke of. Additionally, it would appear that the probability of a successful online, brute force guessing attack is pretty slim with a decent password and decent monitoring. Accordingly, the risk associated with such an attack is dwarfed by the risk of a denial of service attack, whether it be malicious or accidental. This doesn't even take into account the customer service issues. I worked some figures up the other night to argue this point. Please correct my assumptions and math if they are wrong: Assume an 8 character password chosen from 26 lower case characters, 26 upper case characters, 10 numeric characters, and 12 punctuation characters. That creates a set of 74 characters for each position of the password. An eight character password using that character set has 74^8 or 899,194,740,203,776 possible combinations. Lets call it 899 trillion. (note 1) To guess that many passwords over the network would require sending 899 trillion passwords x ( 8 bytes/password + 20 bytes/packetIPheader ) x 8 bits/byte = 201,376 trillion bits. That doesn't include two way acknowledgment packets or the packets containing the user name and other overhead. To send just that password data in 90 days would require a sustained transmission rate of: 201,376 trillion / 90 days / 24hr / 60 min / 60 sec = 25,897 Megabits/sec. If an organization allowed an attack to fully consume an OC3 155 Megabit Internet connection, it would take 201,376,000 billion/.155 billion = 1,299,200,000 seconds or 41 years. Those figures assume that the targeted systems are capable of instantaneous response, won't be adversely affected by such a high rate of activity, and nobody will notice. ( note 2 ) The math and simplicity associated with denial of service attacks due to abuse of password lockouts is not nearly as comforting. ********************************************************************* note 1 The actual number of combinations possible with 8 character long passwords from a set of 74 characters is less than 899 trillion if policies are present that reject combinations that form dictionary words, account names, or otherwise insufficiently strong combinations. Note that increasing the password length even one character to nine increases the possible combinations from 899 trillion to 66,540 trillion. Increasing to a ten character password raises the possible combinations to 4,923,990 trillion. A 14 character password made up only of lower case letters contains 64,509,974 trillion combinations. That is much stronger and possibly easier to remember, explain, and support than a complex eight character password. note 2 A much better anti-online password guessing mechanism without the risk of denial of service attack and customer support issues is for a system to delay between unsuccessful entries. But strong passwords and decent monitoring should be sufficient. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Password Guessing Re: Passwords & Passphrases Gary Flynn (Nov 19)
- <Possible follow-ups>
- Re: Password Guessing Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Password Guessing Re: Passwords & Passphrases Randy Marchany (Nov 19)