Firewall Wizards mailing list archives
RE: Stanford break in
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Fri, 23 Apr 2004 09:46:45 -0400
In most high-security environments password policies are quickly becoming outmoded because processing and storage capacity have become cheap and exponentially greater over a very short period of time. There are a set of formulas that you can use to calculate the probability of success of password guessing attacks. These are published in the Department of Defense Password Management Guideline (CSC-STD-002-85), among other places. The problem is that precomputational guessing attacks like RainbowCrack for NTLM and AsLeap for Cisco LEAP have cut the amount of actual time necessary to calculate a password from its ciphertext to a minute fraction of what previous dictionary or brute-force attacks required. And though you can use an unseemly password policy to make these attacks difficult now, storage and processing capacity will continue to become greater and cheaper. However, I don't expect that we'll start adding more characters to our keyboards at a rate that can keep up. PaulM
-----Original Message----- Decide on password guidelines like alpha-numeric, mixed case, and one special character, and leave it to a dll like passfilt.dll or something similar. Yellow stickies just comes down to end-user education, and a good password policy. If the requirements are: "14 random alpha-numeric chars, with 5 special chars and mixed case.. OH, and change it weekly" you will most likely have a sticky note problem.. if it's: "7 chars, alpha-numeric, one special char and mixed
case changing every 42 days
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Stanford break in, (continued)
- Re: Stanford break in Luca Berra (Apr 23)
- Re: Stanford break in Chuck Vose (Apr 22)
- Re: Stanford break in Adam Shostack (Apr 22)
- Re: Stanford break in Carric Dooley (Apr 23)
- Passwords (was: Stanford break in) Ben Nagy (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 22)
- RE: Stanford break in Richard . Bertolett (Apr 22)
- RE: Stanford break in Ames, Neil (Apr 22)
- RE: Stanford break in Carric Dooley (Apr 23)
- Re: Stanford break in Vin McLellan (Apr 23)
- RE: Stanford break in Melson, Paul (Apr 23)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Vin McLellan (Apr 26)
- RE: Stanford break in Paul D. Robertson (Apr 23)
- RE: Stanford break in Stewart, John (Apr 23)
- Re: Stanford break in Adam Shostack (Apr 23)
- Re: Stanford break in Bennett Todd (Apr 23)
- Re: Stanford break in Paul D. Robertson (Apr 23)
- Re: Stanford break in m (Apr 28)
- RE: Stanford break in Bill Royds (Apr 23)