Re: Password policy publication

["Shalla, Kevin" <kshalla () UIC EDU>]

Doesn't this require stealing the password file, so that you can run the
brute-force attack?  Or are we protecting from sysadmins who already have
access to the password file?

On Mon, October 27, 2008 11:13 am, Valdis Kletnieks wrote:
> On Sat, 25 Oct 2008 06:00:25 EDT, Geoff Nathan said:
> > Does publishing the standards for strong passwords (e.g. eight
> > characters, at
> > least one upper case, at least one numeral) constitute a security hazard
> > by
> > giving information to potential hackers?
>
> "8 chars, at least one upper case and one numeral" isn't exactly what I'd
> call "strong".  These days, I'd go for "at least 15-16, at least one
> upper,
> one numeric, and one special character".  Or go the way the Linux
> 'pam_cracklib'
> module handles it - you get 1 point for each character, the sysadmin
> selects
> how many extra points you get for each numeric, uppercase, lowercase, and
> special chars, and a minimum total point score - so you could (for
> example)
> score the site-required 20 points with a 15-char password that includes
> 3 uppercase and 2 special chars, *or* with a longer 20-char lowercase-only
> password...
>
> Publishing password guidelines that do *not* constrain the search space,
> but
> convince hackers that brute force isn't worth it isn't a hazard.  And any
> risk
> of publishing "your password must be this tall to ride the system" info is
> far outweighed by the risk of *not* having a published policy (and
> non-published
> policy is just nuts - your help desk staff will lynch you after a week of
> "why can't I change my password" calls...)
>
> What *is* a hazard are guidelines  that *do* constrain the search space.
> For
> instance, if your guidelines said "*exactly* 8 chars, exactly 1 uppercase,
> exactly 1 numeric", that allows an attacker to narrow down the brute-force
> space a *lot*.  For "8 chars, at least one upper and numeric", the search
> space
> is (roughly) 62**8 or 218,340,105,584,896.  For the "exactly" version,
> it's
> only (26**7)*10 or 80,318,101,760 - on the order of 2,718 times smaller.
>
> For those who think that's enough that it doesn't matter - the EFF showed
> how to brute-force the *entire* 2**56 DES keyspace in under 24 hours - and
> that was years ago. Technology has moved along since then.  And 2**56
> is 72,057,594,037,927,936 or 330 times bigger than 62**8.  So your average
> 8-char password can be brute forced in about 4 minutes.  Or less.
>
> (Yes, I cheated slightly on the two values due to lack of caffeine.  Feel
> free
> to derive the actual correct formulas - the numbers don't change all that
> much).
>
> Special note: publishing a rule that says "at least 8 chars long" when
> some
> legacy application in the system doesn't allow more than 8 chars is
> essentially
> saying "exactly 8".