Security Basics mailing list archives

RE: ADS Password Storage Protection

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 21 Jul 2006 08:22:42 -0400

--See below. 

-----Original Message-----
From: Harold Winshel [mailto:winshel () camden rutgers edu] 
Sent: Friday, July 21, 2006 6:46 AM
To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

Roger,

Thanks for the great detailed answer.

Regarding the shorter complex passwords, my understanding is that the
reason many organizations recommend a complex password but only up to 8
characters long is because many unix systems don't support a password
longer than that.  

--Some mainframes and older systems only support 6 and 7 character
passwords.

And the organizations don't want to tell the users to use an 8-character
password for their unix systems but to use 15 characters for their
Windows systems.  So they keep it simple and just one have short (8
character) password policy.

-True. It's a management decision. It's just that at 8 characters, it's
really pretty easy to crack even with "complexity".

And if the password is only going to be 8 characters, it needs to be
complex for dictionary attack and other similar reasons.

-Yes, that's many times the reasoning. But it is a little strange to
weaken all other systems because of one poor system, don't you think?

For purposes of a password policy for windows users - if I understand
your comments - we would suggest a 15-character minimum password, and it
can be a passphrase, but we should try to make it something that
wouldn't appear in some body of work that would be a candidate for
digitizing for purposes of a password attack.

-A min. of 15 character passwords is my suggestion for admin and root
passwords. Non-privileged users can be given something shorter. What
size? That's up to mgmt and IT...but I personally believe 10 characters
should be the minimum, just because it stops the casual attacker fairly
well.  It's up to you, if you want to use complexity, but a 10-character
password is somewhat resistant to attack, especially if the attacker
isn't sure whether or not complexity is required.

I'm not suggesting that it needs to be a phrase that never appeared in
any book or newspaper or magazine or any periodical in the history of
the world.  But if I wanted to pick out two or three books that I would
not want the passphrase to appear in, I would exclude a popular book of
quotes (such as Bartlet's Book of Quotations).

--Many people already have such a password dictionary, including me.

Given that, would you think that changing just one or two characters of
a passphrase would make it a strong passphrase.  For instance:

Frankly, my dear, I don't give a damn.

Frankly, my d*ar, I don't give a damn.

For protection against a passphrase attack, I would hope that the second
passphrase would make it a much stronger passphrase.

A passphrase that is a real phrase would make it easier for users to
remember their password, but if it could be made much stronger by
changing only one character it would be less of a burden on the users to
remember.

I appreciate your thoughts.

--Yes, by all means include complexity if you want. It does complicate
cracking considerably. My argument is that franklyidontgiveadamn is just
as uncrackable in practical terms as a complex password, until we start
seeing true passphrase crackers. What frustrates me though are all the
systems that will accept Password2 as complex, but not
youllneverguessmypasswordinathousandyearsormore.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

RE: ADS Password Storage Protection, (continued)
- - - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 18)
    - RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
    - Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 24)
    - RE: ADS Password Storage Protection Pranav Lal (Jul 24)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection eric . baechle (Jul 17)
  - RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)
    - RE: ADS Password Storage Protection Baechle, Eric (Jul 17)
    - Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
    - RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
    - RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
    - RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)

(Thread continues...)