Re: FW: Secure Password Policy?

[kindageeky () gmail com]

NIST has published guidelines on password strength that the OMB and Homeland Security have apparently pledged support 
for under FISMA, at least this was what the government guys at the OWASP conference said.  In any case check out 
Appendix A of the document at http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf .... I strongly 
encourage you to check out this part of the paper as the assertions made about what makes a password "strong enough" 
are pretty enlightening.

It all comes down to entropy to protect against a guessing or brute force attack, and length to protect against a 
dictionary attack.  But entropy / randomness drops dramatically when a user CHOOSES their password (making guessing 
exponentially easier).  My suggestion would be to look at the 4 levels of security outlined in the document and equate 
those to the needs of your environment.  Note that levels 3 and 4 both require multi-factor authentication (i.e. 
passwords are dead for highly sensitive resource protection).

If you think an asset that an account has privileges to is somewhat worth protecting and that passwords are still 
viable, an (average) entropy of 20-30 bits (with an appropriate lock-out policy, say one minute after 3 wrong attempts) 
is probably sufficient in terms of guessing attacks.  This translates to passwords with a length between 5-8 characters 
(that also pass a 50,000 word dictionary test and contain capitals, special characters, and numbers).  The NIST 
document has a nice table outlining entropy levels for passwords of various lengths and with various assumptions about 
password policy; this is not 100% accurate data as the document explains, but is NIST's best estimate on AVERAGE 
entropy for passwords.

If you are protecting a privileged set of resources / account, you might want to require up to 40 bits of (average) 
entropy.  In practice, 40-bits translates to an 18-20 character pass phrase, assuming the use of at least one capital 
letter + one or more numbers + one or more special characters (dictionary tests lose their value at this length per the 
NIST guidelines).

Again, entropy is helping defeat guessing attacks and brute force, but length is your best defense against dictionary 
attacks ... thus for what I'd consider level 2 security, I'd require 20 characters instead of 18.  This should be 
sufficient to avoid any rainbow table attack in the forseeabe future (or at least within a reasonable lifetime for the 
password).  Note there are rainbow tables in existance that pre-hash anything in the 94-character range (everything you 
can hit on the keyboard, including space) up to 12 character passwords ... if you're worried about this attack, you 
proably want to require 14 characters for Level 1 IMHO.

Hope this helps.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------