Penetration Testing mailing list archives
RE: Secure Password Policy?
From: "Anders Thulin" <Anders.Thulin () tietoenator com>
Date: Fri, 20 Jan 2006 10:03:02 +0100
Sulaiman, Wilmar [mailto:wsulaiman () siddharta co id] asked
I noticed that "best practice" for Minimum password length policy is either 6 or 8 characters. I guess SANS institute considered a weak password if it is less than 8 characters.
Isn't there an explanation of those magic numbers somewhere nearby, or an assumption about how the passwords are selected, or the login situation? If not, the author should probably be considered suspect.
Is there any documentation to backup it up why the best practice for minimum password length is set to 6?
Pick a log-in service you're interested in. Say FTP. Pick a login-testing program, such as THC Hydra, and set it up to talk to the FTP service. Feed a big password list do it, so that it keeps working for a reasonable time. How many password guesses can it do per second, with various tweaks (I have an old figure of 120 attempts per second, sustained. But this was more than 12 months ago, and for another program on a loopback connection. Find out *your* guessing rate.) Next, how long will it take, worst case, before this guessing is discovered, and actually stopped, for instance by blocking your IP in the firewall? An hour? A day? A week? (Say 14 days - IT department is off on very long Xmas vacation, or whoever is responsible for reading security logs gets his hands full with more pressing work, but after 14 days log space will be full, and system will halt...). 14 days * 120 attempts / second make approx 150Mattempts. You want a password that resists that many guesses with a decent probability margin -- as you don't know the order in which the guesses will be made. Assuming A-Za-z0-9 (62 character) truly random password, length 5 gives about 10% chance for a crack in 14 days, length 6 0.3% and so on. I'm not sure what to go for here, but I'd try to get below 0.01%, at least. As should be obvious, the most important security measure in this kind of situation is to limit the guessing rate. I'd say 100 guesses per hour is acceptable, except perhaps in high-security installations. 14 days * 100 attempts / hour make approx 34kattempts. Much nicer. A length 6 password is now quite difficult to guess in the stipulated time, even without special characters. Still, it doesn't mean much unless passwords are truly random. Users tend to find the password of least effort -- and those are often easy to guess. I've seen 'Volvo-V70' (or very close relatives) as a password more often than I care to remember -- but it is long, has both upper and lower case letters, digits and even a special character. It is still probably among the first 100000 passwords to be guessed in an attack (locally). So length 6 = 0.3% is rather optimistic ... passwords won't be random unless you ensure it in some way. I don't know any password length calculations that tries to take 'easy passwords' into account. The only way I know to estimate if a password is 'easily guessed' is to let John the Ripper generate passwords ... if the password is in the first million produced or so, it's probably easily guessed. Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Secure Password Policy?, (continued)
- Re: Secure Password Policy? intel96 (Jan 22)
- Re: Secure Password Policy? DMORROW5 (Jan 19)
- RE: Secure Password Policy? Jarmon, Don R (Jan 19)
- Re: Secure Password Policy? Sean Earp (Jan 22)
- FW: Secure Password Policy? Mike Harlan (Jan 20)
- Re: FW: Secure Password Policy? Rurouni Alucard Kawarami Himura (Jan 22)
- RE: FW: Secure Password Policy? Erin Carroll (Jan 23)
- Re: Secure Password Policy? Thor (Hammer of God) (Jan 23)
- Re: FW: Secure Password Policy? Rurouni Alucard Kawarami Himura (Jan 22)
- Re: FW: Secure Password Policy? kindageeky (Jan 21)
- Re: Secure Password Policy? Marek Isalski (Jan 22)
- RE: Secure Password Policy? Anders Thulin (Jan 22)
- RE: Secure Password Policy? Shenk, Jerry A (Jan 22)
- RE: Secure Password Policy? Todd Towles (Jan 22)