Firewall Wizards mailing list archives
RE: "Proactive" Password Checking
From: Bill_Royds () pch gc ca
Date: Fri, 12 Nov 1999 10:08:26 -0500
In the NOVA program on Bletchley Park and the WWII German Enigma encryption machine aire last Tuesday, the key to cracking it was password error much more than algorithm error. The Enigma machine was very secure but it required a "random" salt of three letters by the operator with a matching 3 letter salt by receiver. So it was common for random slat to be BER with response LIN or LON DON etc. People are just not random enough. Paul McNabb <mcnabb () argus-systems com> on 10/11/99 11:50:14 AM Please respond to Paul McNabb <mcnabb () argus-systems com> To: owner-firewall-wizards () lists nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: RE: "Proactive" Password Checking
From: "Eric Toll" <etoll () syracusesupply com> Just read this password checking thread and a lot of you seem to say, some things which seem a bit strange to me. A complex password does not have to be something like "$5dsdDe%AzW3q" this is hard to crack and hard to remember. (users forgetting or writing it down) Now consider the password "maryhadalittlelamb" hard to crack,
^^^^^^^^^^^^^
easy to remember, not a problem for dictionary crackers. Just tell users to put a few words _together_ for security, like their favorite song lyric or something. I felt obligated to tell you all this, because it felt like no person in the thread was aware or voiced this.
I think the reason no one voiced this is because strings of self-selected words are relatively easy to crack. Most educated people only have a few thousand words in their active vocabularies, which is approximately equal to 2.3 lower case letters. So a string of up to 5 words will be about as "random" as an 11 character password of only lower case letters, or a 9 character password that uses both lower and upper case letters. When you start taking word frequencies into account, along with various implementation limits that are typically present (e.g., a maximum length of 32 characters will limit the use of common words like "important", and "tremendous" in 5 word passphrases), these passphrases start looking like 6 to 8 character passwords -- not much better than we are doing now. However, machine generated passphrases will be significantly better. People tend to have passive vocabularies that are significantly larger than their active vocabularies (i.e., you read and understand many more words than you use), and the words really can be random. Also, most people are able to remember a few extra tricks, such as having a single capital letter somewhere in the passphrase, that can greately increase the size of the password space without making it too much more difficult to remember the passphrase. For example, a three word, machine generated passphrase with nothing else done for added complexity is about equal to an 8 character password of random lower case letters. paul --------------------------------------------------------- Paul A. McNabb, CISSP Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Attachment:
att1.eml
Description:
Current thread:
- Re: "Proactive" Password Checking, (continued)
- Re: "Proactive" Password Checking Eric Budke (Nov 14)
- Message not available
- Re: "Proactive" Password Checking Eric Budke (Nov 17)
- Re: "Proactive" Password Checking Rick Smith (Nov 14)
- RE: "Proactive" Password Checking Andreas Gunnarsson (Nov 14)
- Re: "Proactive" Password Checking Dorian Moore (Nov 14)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- Re: "Proactive" Password Checking Aleph One (Nov 18)