Re: Passwords & Passphrases (strength and entropy)

["Basgen, Brian" <bbasgen () PIMA EDU>]

 We had a discussion on this list about a year ago regarding password
strengths (search for entropy). Enclosed is a presentation I have given,
spurred thanks to the previous conversation on this list. Slides 9 - 15
deal with password and passphrase strength.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
 
 
 

> -----Original Message-----
> From: Paul Keser [mailto:pkeser () STANFORD EDU] 
> Sent: Monday, November 26, 2007 3:53 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Passwords & Passphrases
>
> Harold-
>
> I think Alex is saying the cracking program is more likely to 
> guess aaaaaaa...., I believe John the Ripper includes all 
> a's, all b's, etc in its dictionary attack.  Dictionary 
> attacks usually take a very few minutes on a typical 
> workstation while if it has to fall back to brute force it 
> will take days or weeks, this is assuming the already have a 
> coup of  your san file or your shadow file and they are 
> cracking it locally vs password guessing across the network.
>
> The SANS hacking class has an excellent password cracking and 
> password guessing lab.
>
> -PaulK
>
> Paul Keser
> Assoc. Information Security Officer
> Stanford University
> 650.724.9051
> GPG Fingerprint:  DBA3 E20F CE91 28AA DA1C  4A77 3BD9 C82D 2699 24FB
>
>
>
> Harold Winshel wrote:
> > Are you saying a password cracking program is more likely 
> to guess the 
> > letter "a" repeated 15 times or that an individual user trying to 
> > break in to a machine will more likely try that?
> >
> > Harold
> >
> > At 05:37 PM 11/19/2007, Alex wrote:
> > > Harold:
> > >
> > > I think there is confusion betweeen pure mathematical 
> probability and 
> > > probability based on historical attacks/human created passwords.
> > > An attacker is more likely to try repetitive or 
> > > dictionary-based/hybrid attacks over a network (or against 
> a hash) than random passwords.
> > > Additionally, people are more likely to use certain 
> characters than 
> > > others when creating passwords (e.g. wheel of fortune).
> > >
> > > Therefore, user created passwords are not random.
> > >
> > > So, given that we know attackers typically use 'easy' 
> passwords, the 
> > > character 'a' repeated 15 times is more likely to be 
> cracked than a 
> > > 15 character passphrase.
> > > Likely, so is a 15 character passphrase when compared to a truly 
> > > randomly generated password of 15 characters from the same 
> character 
> > > set.
> > > Hence, we have password complexity rules as those in 
> Microsoft Server
> > > 2003
> > > and linux.
> > >
> > > -Alex
> > >
> > > -----Original Message-----
> > > From: Harold Winshel [mailto:winshel () CAMDEN RUTGERS EDU]
> > > Sent: Monday, November 19, 2007 5:16 PM
> > > To: SECURITY () LISTSERV EDUCAUSE EDU
> > > Subject: Re: [SECURITY] Passwords & Passphrases
> > >
> > > I may have missed some of the earlier emails but I thought 
> that a 15 
> > > character passphrase is as secure as a 15 character random 
> password.
> > > For that matter, I thought the  user could use the letter 
> "a" fifteen 
> > > times and it could be as secure as a random 15-character 
> password or 
> > > a 15-character password such as '"I don't like the Red 
> Sox" (I think 
> > > that's more than 15, though).
> > >
> > > Harold
> > >
> > >
> > > At 04:44 PM 11/19/2007, Roger Safian wrote:
> > > > At 02:01 PM 11/19/2007, Martin Manjak put fingers to keyboard and
> > > wrote:
> > > > > move beyond 8 characters with mixed case and special 
> characters. I 
> > > > > would like to see us require a 15 character pass phrase 
> which, in 
> > > > > my view, is more secure (even without complexity), and 
> both easier 
> > > > > to type and remember.
> > > >
> > > > Personally I'd love to see a password minimum length of 
> 15 characters.
> > > > My fear is that a password database get's compromised, 
> and the weak 
> > > > passwords are cracked and bad things take place.  I think that 15 
> > > > characters is a long enough string to make brute force 
> cracking time 
> > > > consuming enough to allow us to change the passwords in a 
> reasonable 
> > > > time-frame.
> > > >
> > > > I think the reality is that 15 characters will be too 
> much for the 
> > > > community.  We'll see.
> > > >
> > > >
> > > > --
> > > > Roger A. Safian
> > > > r-safian () northwestern edu (email) public key available on many key
> > > servers.
> > > > (847) 491-4058   (voice)
> > > > (847) 467-6500   (Fax) "You're never too old to have a great
> > > childhood!"
> > >
> > > Harold Winshel
> > > Computing and Instructional Technologies Faculty of Arts & 
> Sciences 
> > > Rutgers University, Camden Campus
> > > 311 N. 5th Street, Room B10 Armitage Hall Camden NJ 08102
> > > (856) 225-6669 (O)
> >
> > Harold Winshel
> > Computing and Instructional Technologies
> > Faculty of Arts & Sciences
> > Rutgers University, Camden Campus
> > 311 N. 5th Street, Room B10 Armitage Hall
> > Camden NJ 08102
> > (856) 225-6669 (O)

Attachment: Trouble-with-encryption-v2.ppt
Description: Trouble-with-encryption-v2.ppt