Re: Minimum password requirements

[Jonathan Loh <kj6loh () yahoo com>]

--- dmargoli () stwing org wrote:

> Now let's think about this from a more accurate perspective. Assuming an 
> attacker randomly tries passwords (the chances of him brute-forcing 
> *every single possible password* in linear order are minimal; assuming 8 
> character passwords guessed at 1 per second, we're talking years here), 
> changing the password does not significantly help your chances. The 
> benefit here is by whether he can guess with replacement or without (as 
> in, should he guess another random password, or a random password that 
> he hasn't already guessed--can he narrow his guessing set?). So 8 
> character alphanumeric, caps and lower, gives us 218340105584896 
> possible passwords. At one per second, over a 30 day period, going 
> non-stop (and if your logs don't catch *this*, you should think twice), 
> he guesses 2592000 passwords. So if he's allowed to assume no guessing 
> the same password twice--i.e. that you don't cycle your passwords 
> regularly--he can better his odds from 1/218340105584896 to 
> 1/218340102992896. Not a significant change. In fact, so insignificant 
> that if *I* were the attacker, I wouldn't bother keeping track of 
> passwords I'd guessed. So does this make you safer against brute 
> forcing? Perhaps a very small amount.
Yes, I agree with you math, and the odds do not sound very good.  But having
been a system administrator for a number of years, even going back to a time
when there were totally unencrypted passwords.  I remember seeing passwords
like 'succeed', and 'tihsllub' (try reading that backwords), and other english
dictionary words.  So the number of english words is significantly smaller than
your 218340105584896.  A quick look on the web and there are roughly 50 - 60k
words (for arguments sake we'll say its about 100 to 150k).  Most end users are
not as technically minded to come up with a password of 'iYtsQek9' or some
nonsensical word like that.  Moreover if they do come up with a password that
complicated they usually write it down and put it near their computer, which
would render the system very insecure, as you state later.

Now if we assume your scheme of 1 password/second and 100k words in the english
language.  That means 86,400 guesses per day.  So by the end of the second day
most passwords would be cracked, given some substitutions too ie 1 for i or l.
That's only given one dedicated computer.  With distributed processing that
will speed it up even more.  This is one reason why people put in timeouts
every 3 to 6 invalid login attemps.  I don't agree with locking anyone out.  It
may warrent a chat if it realy looks as if someone is trying to break in to his
account.  I remember someone who regularly for a week tried to log in as root. 
He never made it.  But we talked to him and he was using linux fro the first
time and was doing everything as root until he realized it was a bad idea.  So
he tried to rlogin to our box without the username argument and so it would
show up as an attempted root login, which it was, but it was an error on the
part of a novice sysadmin.

There are gives and takes.  Now many modern password programs do simple
checking against a dictionary.  But then there will be things like 'c0m3f156'
(comefish).  and so on so forth that will escape simple password checks.  With
the fact that many web servers allow users homes to house a website where the
url is somehost/~user.  It's a lot easier to find usernames now.
> Weak passwords are a serious problem, I agree. 

Agreed, but this is such a simple step in helping to solve a monstrous issue
that I think it warrants our time and attention.


                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------