Educause Security Discussion mailing list archives

Re: Password policy publication

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 27 Oct 2008 12:13:29 -0400

On Sat, 25 Oct 2008 06:00:25 EDT, Geoff Nathan said:

Does publishing the standards for strong passwords (e.g. eight characters, at
least one upper case, at least one numeral) constitute a security hazard by
giving information to potential hackers?


"8 chars, at least one upper case and one numeral" isn't exactly what I'd
call "strong".  These days, I'd go for "at least 15-16, at least one upper,
one numeric, and one special character".  Or go the way the Linux 'pam_cracklib'
module handles it - you get 1 point for each character, the sysadmin selects
how many extra points you get for each numeric, uppercase, lowercase, and
special chars, and a minimum total point score - so you could (for example)
score the site-required 20 points with a 15-char password that includes
3 uppercase and 2 special chars, *or* with a longer 20-char lowercase-only
password...

Publishing password guidelines that do *not* constrain the search space, but
convince hackers that brute force isn't worth it isn't a hazard.  And any risk
of publishing "your password must be this tall to ride the system" info is
far outweighed by the risk of *not* having a published policy (and non-published
policy is just nuts - your help desk staff will lynch you after a week of
"why can't I change my password" calls...)

What *is* a hazard are guidelines  that *do* constrain the search space. For
instance, if your guidelines said "*exactly* 8 chars, exactly 1 uppercase,
exactly 1 numeric", that allows an attacker to narrow down the brute-force
space a *lot*.  For "8 chars, at least one upper and numeric", the search space
is (roughly) 62**8 or 218,340,105,584,896.  For the "exactly" version, it's
only (26**7)*10 or 80,318,101,760 - on the order of 2,718 times smaller.

For those who think that's enough that it doesn't matter - the EFF showed
how to brute-force the *entire* 2**56 DES keyspace in under 24 hours - and
that was years ago. Technology has moved along since then.  And 2**56
is 72,057,594,037,927,936 or 330 times bigger than 62**8.  So your average
8-char password can be brute forced in about 4 minutes.  Or less.

(Yes, I cheated slightly on the two values due to lack of caffeine.  Feel free
to derive the actual correct formulas - the numbers don't change all that
much).

Special note: publishing a rule that says "at least 8 chars long" when some
legacy application in the system doesn't allow more than 8 chars is essentially
saying "exactly 8".

Attachment: _bin
Description:

Current thread:

Password policy publication Geoff Nathan (Oct 25)
- <Possible follow-ups>
- Re: Password policy publication Roger Safian (Oct 27)
- Re: Password policy publication Allison Dolan (Oct 27)
- Re: Password policy publication Valdis Kletnieks (Oct 27)
- Re: Password policy publication Shalla, Kevin (Oct 28)
- Re: Password policy publication Adam Nave (Oct 28)
- Re: Password policy publication Roger Safian (Oct 28)
- Re: Password policy publication Shalla, Kevin (Oct 28)
- Re: Password policy publication Valdis Kletnieks (Oct 28)
- Re: Password policy publication Steven Alexander (Oct 28)
- Re: Password policy publication Roger Safian (Oct 28)
- Re: Password policy publication Matthew Gracie (Oct 29)