Re: Minimum password requirements

["Gethin Jones" <gethinj () gethin net>]

Dear All,

I thought Social Engineering might be worth mentioning here.
Even if you feel it isn't necessary to enforce strong passwords, it is
always worth doing as the end-users themselves feel safer.
They might grumble about password aging or password complexity but they will
feel safer knowing that their sessions are secure.

It will also deter ex-employees from trying to attack their old workplace as
they will  'know' that the passwords are secure.
They will also realise that their passwords will have been deleted as the
internal IT department is competent.

Always worth thinking about

Gethin Jones


----- Original Message ----- 
From: <sceee1991 () yahoo com>
To: <security-basics () securityfocus com>
Sent: Saturday, July 24, 2004 3:23 AM
Subject: RE: Minimum password requirements




All your comments may be true, but I still think that mandatory
password changing is necessary and in some environments I think 30 or 45
days
maximum is reasonable.  Although this example is extreme, it is
realistic.  Let's assume a dictionary attack rather than a brute force
attack,
and let's say that you only use the top 100 passwords that meet complex
password requirements.  If you also know the username requirements of
the company you are hacking (i.e.  first letter of first name followed
by the last name) you could launch an attack against this company with
user names you found through social engineering and use one password a
day against each of these known accounts.  Before this list of passwords
is exhausted the chances are you will have broken into an account.
Extreme?  Yes.  Unlikely?  I am not sure.

A second example is a situation where you are able to obtain the
password file.  At this point you aren't limited with how strong your attack
is.  You could put every machine you have access to on the project,
each conducting a different segment of the attack against the file, some
brute forcing, some dictionary, and each using different criteria.  It
is very likely that you will crack that password within 90 days.

In either of these instances you might never know that the password has
been cracked and the 90 day max will at least change the compromised
password and may prevent it's cracking (although it may not).

True enough, requiring mandatory password changes will cause weak or
easy to find passwords, but unfortunately these already exist.  I think
the best answer is to educate the user how to develop a very strong
password strategy that is easy to remember as well as the need for strong
passwords.  Will this remedy the whole situation?  Probably not, but it
will help it.

> Now let's think about this from a more accurate perspective.
> Assuming an attacker randomly tries passwords (the chances of
> him brute-forcing *every single possible password* in linear
> order are minimal; assuming 8 character passwords guessed at
> 1 per second, we're talking years here), changing the
> password does not significantly help your chances. The
> benefit here is by whether he can guess with replacement or
> without (as in, should he guess another random password, or a
> random password that he hasn't already guessed--can he narrow
> his guessing set?). So 8 character alphanumeric, caps and
> lower, gives us 218340105584896 possible passwords. At one
> per second, over a 30 day period, going non-stop (and if your
> logs don't catch *this*, you should think twice), he guesses
> 2592000 passwords. So if he's allowed to assume no guessing
> the same password twice--i.e. that you don't cycle your
> passwords regularly--he can better his odds from
> 1/218340105584896 to 1/218340102992896. Not a significant
> change. In fact, so insignificant that if *I* were the
> attacker, I wouldn't bother keeping track of passwords I'd
> guessed. So does this make you safer against brute forcing?
> Perhaps a very small amount.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------