Penetration Testing mailing list archives
RE: Secure Password Policy?
From: Petr.Kazil () eap nl
Date: Sun, 22 Jan 2006 11:36:30 +0100
Rainbow tables make password up to around 8 characters easy to crack, if
the
attacker has the time to pre-compute the tabes. Making rainbow tables
beyond
8 is long term planning, and somewhat disk intensive for script-kiddy
level
attacks.
It is instructive to look at this site: http://www.loginrecovery.com/ I've used this website as an example in a class I gave, and I exchanged a few e-mails with the owners of this site. They were very friendly and explained that they used huge rainbow tables and that they could easily crack passwords even longer than 14 characters. I sent in a few test passwords of mine (very simple ones) and they were all cracked in a minute. This was a sobering experience :-) There may be more service providers like that, but this was the first one I found. If you're in deep trouble, then paying 10 GBP for your forgotten admin password is a good deal. At our clients I try to defend the current Microsoft policy because IMHO it's quite safe and reduces the load on the helpdesk: Length: 8 chars or more Complexity: enabled Change: every 90-120 days Lockout: after 50 (!) attempts - not 5 or 3 like we used to advise The philosophy is that a lockout is only necessary if someone uses an automated password guessing tool. The chance of guessing even a simple password like "Banana01" (seen "in the wild") in 50 guesses is slight. And having 50 tries once saved the day for me, after I changed my password late at night and didn't know it anymore in the morning :-) Greetings, Petr Kazil ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Secure Password Policy? Sulaiman, Wilmar (Jan 19)
- Re: Secure Password Policy? Mike Dieroff (Jan 19)
- RE: Secure Password Policy? Lyal Collins (Jan 21)
- RE: Secure Password Policy? Petr . Kazil (Jan 23)
- Re: Secure Password Policy? List Spam (Jan 22)
- Re: Secure Password Policy? Neil (Jan 22)
- List of "clickable" on-line pen-test tools Petr . Kazil (Jan 23)
- Re: List of "clickable" on-line pen-test tools Ivan . (Jan 24)
- Re: List of "clickable" on-line pen-test tools Alvin Oga (Jan 25)
- Re: List of "clickable" on-line pen-test tools thomas springer (Jan 25)
- Message not available
- Re: List of "clickable" on-line pen-test tools FocusHacks (Jan 30)
- RE: Secure Password Policy? Lyal Collins (Jan 21)
- Re: Secure Password Policy? Mike Dieroff (Jan 19)
- Re: List of "clickable" on-line pen-test tools thomas springer (Jan 24)