Re: Re[2]: password aging

[Aleph One <aleph1 () dfw net>]

On Wed, 2 Sep 1998 Steve.Bleazard () wdr com wrote:

>      One alternative to password aging, is to force everyone to use a 
>      password generator.  FIPS181 from the US government describes (and 
>      implements) such a generator.  I have found the FIPS181 algorithm 
>      generates good pronouncable passwords.  They are also far less 
>      susceptible to social engineering.
>      
>      Using password generators has many problems in itself, not least of 
>      which is the tendency for people to write the password down.  However, 
>      if security demands good password aging and system wide password 
>      re-use detection, then the local policies can be enforced to deal with 
>      this and a generator is a viable alternative.

This reminds me of this little blurb that comes with the Crack programs.
> From doc/fips181.txt:

  Federal Information Processing Standard 181 defines a standard for an
  automated password generator to be used in "all federal departments
  and agencies where there is a requirement for computer generated
  pronouncable passwords"... for passwords of between 5 and 8 characters
  long.

  Basically it's a generator which takes a good PRNG and a bunch of
  fixed syllables (composed from lowercase ascii letters) and uses the
  former to drive concatenation of the latter, producing at the business
  end a "pronouncable password".

  Reading FIPS181 (http://csrc.ncsl.nist.gov/fips/fips181.txt) one gets
  a good feel for the reduction in search space that this algorithm
  provides to the password cracker.

  Section 2.4 cites that the algorithm is capable of producing
  "approximately 18 million 6-character" passwords; compare this with
  the set of 309 million lowercase 6-character passwords, and we see
  that the lack of entropy in the output has reduced the search space to
  about 5% of it's original size.

  Interesting; from this basis we may pose the following student project:
  or values of N constrained by
  your resources.

  3) sort/uniq, dawg and gzip this dictionary and put it up on an
  Internet FTP site, posting an announcement of a new Crack dictionary
  containing all possible N-character plaintext federal passwords.

  4) Write an essay describing your experiences of consequent federal
  investigation, backbiting and paranoia.
  --
  To verify the feasibility of (3), the author can confirm that the
  highly redundant 2Gb dictionary of all possible 6-character lowercase
  passwords (newline separated) compresses to about 7Mb under dawg/gzip.
  YMMV.

As you can see using FIPS181 is a very bad idea.

>      Steve

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01