Re: Password policy publication

[Adam Nave <nave () MACALESTER EDU>]

I originally sent my thoughts straight to Geoff, but I'll post it to the
group too:

I'd say no, it doesn't give enough info to really be useful. If a hacker had
a password file and knew the format of the password, he could save a lot of
time, but actually all he needs is a minimum length. The hacker probably
just wants a couple passwords, not all of them, and you can bet there are
going to be plenty of minimum length passwords. But if a hacker has your
password file, you're already badly breached.

If he's trying to "hack" a login based system by guessing passwords, those
systems are slow enough and usually have enough sense to flag the account
well before the attacker even has a reasonable chance of guessing the
password, no matter what length it is.

Users are happy to spill the details on their password policy in
conversation anyway, and it's not like you can keep it a secret from them.
If you don't tell your users the policy, they get really, really pissed when
they are forced to make a new password and have to try a dozen different
combos.

--Adam

On Tue, Oct 28, 2008 at 9:26 AM, Shalla, Kevin <kshalla () uic edu> wrote:

> Doesn't this require stealing the password file, so that you can run the
> brute-force attack?  Or are we protecting from sysadmins who already have
> access to the password file?
>
> On Mon, October 27, 2008 11:13 am, Valdis Kletnieks wrote:
> > On Sat, 25 Oct 2008 06:00:25 EDT, Geoff Nathan said:
> > > Does publishing the standards for strong passwords (e.g. eight
> > > characters, at
> > > least one upper case, at least one numeral) constitute a security hazard
> > > by
> > > giving information to potential hackers?
> >
> > "8 chars, at least one upper case and one numeral" isn't exactly what I'd
> > call "strong".  These days, I'd go for "at least 15-16, at least one
> > upper,
> > one numeric, and one special character".  Or go the way the Linux
> > 'pam_cracklib'
> > module handles it - you get 1 point for each character, the sysadmin
> > selects
> > how many extra points you get for each numeric, uppercase, lowercase, and
> > special chars, and a minimum total point score - so you could (for
> > example)
> > score the site-required 20 points with a 15-char password that includes
> > 3 uppercase and 2 special chars, *or* with a longer 20-char
> lowercase-only
> > password...
> >
> > Publishing password guidelines that do *not* constrain the search space,
> > but
> > convince hackers that brute force isn't worth it isn't a hazard.  And any
> > risk
> > of publishing "your password must be this tall to ride the system" info
> is
> > far outweighed by the risk of *not* having a published policy (and
> > non-published
> > policy is just nuts - your help desk staff will lynch you after a week of
> > "why can't I change my password" calls...)
> >
> > What *is* a hazard are guidelines  that *do* constrain the search space.
> > For
> > instance, if your guidelines said "*exactly* 8 chars, exactly 1
> uppercase,
> > exactly 1 numeric", that allows an attacker to narrow down the
> brute-force
> > space a *lot*.  For "8 chars, at least one upper and numeric", the search
> > space
> > is (roughly) 62**8 or 218,340,105,584,896.  For the "exactly" version,
> > it's
> > only (26**7)*10 or 80,318,101,760 - on the order of 2,718 times smaller.
> >
> > For those who think that's enough that it doesn't matter - the EFF showed
> > how to brute-force the *entire* 2**56 DES keyspace in under 24 hours -
> and
> > that was years ago. Technology has moved along since then.  And 2**56
> > is 72,057,594,037,927,936 or 330 times bigger than 62**8.  So your
> average
> > 8-char password can be brute forced in about 4 minutes.  Or less.
> >
> > (Yes, I cheated slightly on the two values due to lack of caffeine.  Feel
> > free
> > to derive the actual correct formulas - the numbers don't change all that
> > much).
> >
> > Special note: publishing a rule that says "at least 8 chars long" when
> > some
> > legacy application in the system doesn't allow more than 8 chars is
> > essentially
> > saying "exactly 8".



--
Adam Nave, CISSP
Academic Technologist
Macalester College