RE: Stanford break in

["Melson, Paul" <PMelson () sequoianet com>]

In most high-security environments password policies are quickly
becoming outmoded because processing and storage capacity have become
cheap and exponentially greater over a very short period of time.  There
are a set of formulas that you can use to calculate the probability of
success of password guessing attacks.  These are published in the
Department of Defense Password Management Guideline (CSC-STD-002-85),
among other places.

The problem is that precomputational guessing attacks like RainbowCrack
for NTLM and AsLeap for Cisco LEAP have cut the amount of actual time
necessary to calculate a password from its ciphertext to a minute
fraction of what previous dictionary or brute-force attacks required.
And though you can use an unseemly password policy to make these attacks
difficult now, storage and processing capacity will continue to become
greater and cheaper.  However, I don't expect that we'll start adding
more characters to our keyboards at a rate that can keep up.

PaulM

> -----Original Message-----
> Decide on password guidelines like alpha-numeric, mixed case, and one 
> special character, and leave it to a dll like passfilt.dll or 
> something similar. Yellow stickies just comes down to end-user 
> education, and a good password policy. If the requirements are: "14 
> random alpha-numeric chars, with 5 special chars and mixed case.. OH, 
> and change it weekly" you will most likely have a sticky note 
> problem.. if it's: "7 chars, alpha-numeric, one special char and mixed

> case changing every 42 days
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards