Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passwords & Passphrases

From: Paul Keser <pkeser () STANFORD EDU>
Date: Mon, 26 Nov 2007 14:52:43 -0800
Harold-

I think Alex is saying the cracking program is more likely to guess
aaaaaaa...., I believe John the Ripper includes all a's, all b's, etc in
its dictionary attack.  Dictionary attacks usually take a very few
minutes on a typical workstation while if it has to fall back to brute
force it will take days or weeks, this is assuming the already have a
coup of  your san file or your shadow file and they are cracking it
locally vs password guessing across the network.

The SANS hacking class has an excellent password cracking and password
guessing lab.

-PaulK

Paul Keser
Assoc. Information Security Officer
Stanford University
650.724.9051
GPG Fingerprint:  DBA3 E20F CE91 28AA DA1C  4A77 3BD9 C82D 2699 24FB



Harold Winshel wrote:

Are you saying a password cracking program is more likely to guess the
letter "a" repeated 15 times or that an individual user trying to
break in to a machine will more likely try that?

Harold

At 05:37 PM 11/19/2007, Alex wrote:

Harold:

I think there is confusion betweeen pure mathematical probability and
probability based on historical attacks/human created passwords.
An attacker is more likely to try repetitive or dictionary-based/hybrid
attacks over a network (or against a hash) than random passwords.
Additionally, people are more likely to use certain characters than
others
when creating passwords (e.g. wheel of fortune).

Therefore, user created passwords are not random.

So, given that we know attackers typically use 'easy' passwords, the
character 'a' repeated 15 times is more likely to be cracked than a 15
character passphrase.
Likely, so is a 15 character passphrase when compared to a truly
randomly
generated password of 15 characters from the same character set.
Hence, we have password complexity rules as those in Microsoft Server
2003
and linux.

-Alex

-----Original Message-----
From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU]
Sent: Monday, November 19, 2007 5:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Passwords & Passphrases

I may have missed some of the earlier emails but I thought that a 15
character passphrase is as secure as a 15 character random password.

For that matter, I thought the  user could use the letter "a" fifteen
times
and it could be as secure as a random 15-character password or a
15-character password such as '"I don't like the Red Sox" (I think
that's
more than 15, though).

Harold


At 04:44 PM 11/19/2007, Roger Safian wrote:

At 02:01 PM 11/19/2007, Martin Manjak put fingers to keyboard and

wrote:

move beyond 8 characters with mixed case and special characters. I
would like to see us require a 15 character pass phrase which, in my
view, is more secure (even without complexity), and both easier to
type and remember.


Personally I'd love to see a password minimum length of 15 characters.

My fear is that a password database get's compromised, and the weak
passwords are cracked and bad things take place.  I think that 15
characters is a long enough string to make brute force cracking time
consuming enough to allow us to change the passwords in a reasonable
time-frame.

I think the reality is that 15 characters will be too much for the
community.  We'll see.


--
Roger A. Safian
r-safian () northwestern edu (email) public key available on many key

servers.

(847) 491-4058   (voice)
(847) 467-6500   (Fax) "You're never too old to have a great

childhood!"

Harold Winshel
Computing and Instructional Technologies Faculty of Arts & Sciences
Rutgers
University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102
(856) 225-6669 (O)



Harold Winshel
Computing and Instructional Technologies
Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B10 Armitage Hall
Camden NJ 08102
(856) 225-6669 (O)
Previous By Date Next
Previous By Thread Next

Current thread: