Educause Security Discussion mailing list archives
Re: password length and required reset
From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 10 Oct 2016 17:12:02 +0000
That calculator uses CPU based cracking on a reasonable, but not high-end CPU. For GPU based processing with a decent card, speeds can be 1000x faster than what is listed on his calculator (for example, MD5 is more like 8 billion/sec, not 8 million/sec). Keep in mind that attackers don’t do pure brute-forcing, they use dictionaries of known passwords and pattern algorithms based on common password character patterns. It’s much more efficient than pure brute forcing, which is the last step for cracking. Knowledge of the password requirements for the targeted system can focus efforts as well. Also keep in mind, the target isn’t usually one person’s specific password, but efficiently extracting whatever passwords they can and then using those passwords to expand access. In short, no, don’t use that page as an estimate on how much time it takes a real attacker. In real life, it’s probably closer to 10,000 times faster than those times between better hardware and optimized processes, so your 533 years could be a few days. Just trying the 1000 most commonly used passwords will “crack” a decent percentage of passwords instantly. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cid:image001.png@01D222E7.2051FEC0] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Mike Cunningham <mike.cunningham () PCT EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, October 10, 2016 at 10:54 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] password length and required reset Steve, where do you get the stats for your password cracking estimates? This site shows a 12 character password with salted MD4 and alpha, number and spaces (pass phrase) is 23 thousand years and even without numbers is 533 years. http://calc.opensecurityresearch.com/ using SHA-1 just about doubles that time. If my 12 character pass phrase will take 533 years to crack I’m happy with that. Mike Cunningham From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steven Alexander Sent: Monday, October 10, 2016 11:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] password length and required reset Nick, I have some contrary positions. What is the eight character minimum based on? If you only want to prevent online guessing (e.g. brute-forcing RDP), eight is probably enough. If you’re trying to protect against offline guessing (i.e. cracking password hashes), then eight is not even close to adequate for most systems. AD accounts store passwords using unsalted MD4 which can be guessed at a rate of billions of guesses per second. Many applications using unsalted MD5 or SHA-1 which, for password protection, are not much better. In those cases, eight character passwords are very easy to break and many (user-chosen) passwords up to about thirteen or fourteen characters can be cracked in a reasonable amount of time. For critical accounts, those with administrative privileges and those with access to sensitive data (e.g. Payroll), I recommend fifteen characters. The research on password expiration shows that regular password changes are not helpful. They have minimal positive impact and encourage users to do exactly what you mention: pick a pattern and increment (“Fall2016!”, “Winter2017!”, etc). The better recommendations are to change passwords when an event occurs rather than every XX days and to implement two-factor authentication if possible. A password vault is a great idea. Not only does it make it easier to use different passwords for different sites/systems, it makes it easier to pick strong passwords. Regards, Steven Alexander Director of IT Security Kern Community College District (661) 336-5111 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nicholas Garigliano Sent: Sunday, October 9, 2016 7:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] password length and required reset Hi Mike, Some thoughts on password requirements in general: - It is common for people to reuse account credentials at multiple sites that never require a password change (Amazon, Twitter etc) If one of the sites get hacked and the credentials get dumped, then that increases the exposure for your site. Not to mention the nightmare it creates for the user. - While pass phrases are generally more secure, simple/common ones like "Star Wars VII" are not. You can find these in most on-line cracking databases/lists. Of course, complexity and length are always a trade off between usability and administrative overhead (resets etc). - Current technology has made cracking dumped hashes more feasible for your average bad guy. - Education can help. Many users, not all as we know, will listen if you explain clearly and succinctly why reusing passwords is not in their best interest. Suggesting the use of a password vault I feel is also a good idea. So my deep thoughts on password's is that you do need a minimum of 8, they need to be changed (and not just incremented, i.e. password123) and there should be some complexity. But as usual, it all depends on what you are allowed to do or can do in your particular environment. Nick Garigliano, CISSP, GCIH Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Fri, Oct 7, 2016 at 3:28 PM, Mike Cunningham <mike.cunningham () pct edu<mailto:mike.cunningham () pct edu>> wrote: We current have a password length rule of 6 with a password expiration of 180 days. We are considering changing that to a length of 12 with a recommendation to use a pass phrase, and no expiration. Students can want to can change their password daily or never. We believe the longer length requirement will make the password so much stronger that the password reset is no longer needed. This change is for students ONLY. Employees will still have a password recent requirement. Thanks Mike Cunningham VP of Information Technology Services/CIO Pennsylvania College of Technology
Current thread:
- password length and required reset Mike Cunningham (Oct 07)
- Re: password length and required reset Nicholas Garigliano (Oct 09)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Brad Judy (Oct 10)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Justin Store (Oct 11)
- Re: password length and required reset Adam Maynard (Oct 11)
- Re: password length and required reset Drews, Jane E (Oct 12)
- Re: password length and required reset Mike Cunningham (Oct 12)
- Re: password length and required reset Haas, Mike (Oct 12)
- Re: password length and required reset Steven Alexander (Oct 10)
- Re: password length and required reset Nicholas Garigliano (Oct 09)
- <Possible follow-ups>
- Re: password length and required reset Boyd, Daniel (Oct 10)
- Re: password length and required reset Mike Cunningham (Oct 10)