Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Tue, 18 Jul 2006 14:16:57 -0400
Being "subject to" and being successful in cracking a 15 character password are two different things. One's theorectical, the other's real life. If no one I've challenged cracks the 15 character challenges, it means something...what exactly, I don't know...but it's probably enough to say that 15 character passwords without complexity are sufficient for most medium-security businesses. If they do get cracked, it means one of two things: 1. 15-character no complexity password isn't sufficient 2. Maybe a 15-character password is sufficient if the attacker didn't know that it contained no complexity, only contained alpha or alpha-numeric, and all the other hints I gave. In real life, using the same password would give even more security, because the attacker can't be guaranteed any of the hints I gave, which would greatly increase the possible keyspace. But I'm interested in testing the first premise, is a 15-character no complexity password sufficent enough for most businesses? This won't prove it either way, but the results will be something to consider. -----Original Message----- From: Gregory Rubin [mailto:grrubin () gmail com] Sent: Monday, July 17, 2006 5:43 PM To: Roger A. Grimes Cc: eric.baechle () dhs gov; security-basics () securityfocus com Subject: Re: ADS Password Storage Protection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While I agree that length is far superior to complexity, I must disagree that 15 char is sufficient. (Pure theory to follow) Each additional letter in English provides approximately 1.1 bits of entropy. Even grossly overestimating this at 2 bits, the total entropy of a 15 char passphrase is only 30 bits or the equivelent of a complex password of length 3 to 4. Thus, the passphrase remains vulnerable to dictionary attacks. For secure systems, the user should type a sentance. That will easily provide around 20 or more characters. At that length, the entropy at the word level (as opposed to just the letter) starts to really come into play and the pass phrase becomes secure. For administrators, it doesn't even need to be much longer, but they could throw in a little complexity as they are likely to be more competant. For low security systems, the users are going to pick weak stuff no matter what, so is it worth the added inconvience? Greg P.S. Signed with a 40+ char pass-phrase. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) - WinPT 0.11.9 iD8DBQFEvAR15KDU23nQpRcRAo8NAKC6zl2Y0IhsInZmaH0wec6nGZuzQwCg5jWq UzR9jOPNsVbLXPjA2Lncaz4= =81Gb -----END PGP SIGNATURE----- ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)
- RE: ADS Password Storage Protection Baechle, Eric (Jul 17)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 18)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection dave kleiman (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Baechle, Eric (Jul 19)
- RE: Re: RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: Re: RE: ADS Password Storage Protection Michael Yelland (Jul 21)