RE: "Proactive" Password Checking

[Bill_Royds () pch gc ca]

In the NOVA program on Bletchley Park and the WWII German Enigma encryption
machine aire last Tuesday, the key to cracking it was password error much more
than algorithm error. The Enigma machine was very secure but it required a
"random" salt of three letters by the operator with a matching 3 letter salt by
receiver. So it was common for random slat to be BER with response LIN or LON
DON etc.  People are just not random enough.




Paul McNabb <mcnabb () argus-systems com> on 10/11/99 11:50:14 AM

Please respond to Paul McNabb <mcnabb () argus-systems com>

To:   owner-firewall-wizards () lists nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  RE: "Proactive" Password Checking



>  From: "Eric Toll" <etoll () syracusesupply com>
>
>  Just read this password checking thread and a lot of you seem to say,
>  some things which seem a bit strange to me.
>
>  A complex password does not have to be something like "$5dsdDe%AzW3q"
>  this is hard to crack and hard to remember.  (users forgetting or
>  writing it down)
>
>  Now consider the password "maryhadalittlelamb"  hard to crack,
                                                   ^^^^^^^^^^^^^
>  easy to remember, not a problem for dictionary crackers.   Just tell
>  users to put a few words _together_ for security, like their favorite
>  song lyric or something.
>
>  I felt obligated to tell you all this, because it felt like no person
>  in the thread was aware or voiced this.

I think the reason no one voiced this is because strings of self-selected
words are relatively easy to crack.  Most educated people only have a few
thousand words in their active vocabularies, which is approximately equal
to 2.3 lower case letters.  So a string of up to 5 words will be about
as "random" as an 11 character password of only lower case letters, or a
9 character password that uses both lower and upper case letters.

When you start taking word frequencies into account, along with various
implementation limits that are typically present (e.g., a maximum length
of 32 characters will limit the use of common words like "important", and
"tremendous" in 5 word passphrases), these passphrases start looking like
6 to 8 character passwords -- not much better than we are doing now.

However, machine generated passphrases will be significantly better.
People tend to have passive vocabularies that are significantly larger
than their active vocabularies (i.e., you read and understand many more
words than you use), and the words really can be random.  Also, most
people are able to remember a few extra tricks, such as having a single
capital letter somewhere in the passphrase, that can greately increase
the size of the password space without making it too much more difficult
to remember the passphrase.  For example, a three word, machine generated
passphrase with nothing else done for added complexity is about equal to
an 8 character password of random lower case letters.

paul

---------------------------------------------------------
Paul A. McNabb, CISSP           Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------

Attachment: att1.eml
Description: