Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 21 Jul 2006 08:22:42 -0400
--See below. -----Original Message----- From: Harold Winshel [mailto:winshel () camden rutgers edu] Sent: Friday, July 21, 2006 6:46 AM To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com Subject: RE: ADS Password Storage Protection Roger, Thanks for the great detailed answer. Regarding the shorter complex passwords, my understanding is that the reason many organizations recommend a complex password but only up to 8 characters long is because many unix systems don't support a password longer than that. --Some mainframes and older systems only support 6 and 7 character passwords. And the organizations don't want to tell the users to use an 8-character password for their unix systems but to use 15 characters for their Windows systems. So they keep it simple and just one have short (8 character) password policy. -True. It's a management decision. It's just that at 8 characters, it's really pretty easy to crack even with "complexity". And if the password is only going to be 8 characters, it needs to be complex for dictionary attack and other similar reasons. -Yes, that's many times the reasoning. But it is a little strange to weaken all other systems because of one poor system, don't you think? For purposes of a password policy for windows users - if I understand your comments - we would suggest a 15-character minimum password, and it can be a passphrase, but we should try to make it something that wouldn't appear in some body of work that would be a candidate for digitizing for purposes of a password attack. -A min. of 15 character passwords is my suggestion for admin and root passwords. Non-privileged users can be given something shorter. What size? That's up to mgmt and IT...but I personally believe 10 characters should be the minimum, just because it stops the casual attacker fairly well. It's up to you, if you want to use complexity, but a 10-character password is somewhat resistant to attack, especially if the attacker isn't sure whether or not complexity is required. I'm not suggesting that it needs to be a phrase that never appeared in any book or newspaper or magazine or any periodical in the history of the world. But if I wanted to pick out two or three books that I would not want the passphrase to appear in, I would exclude a popular book of quotes (such as Bartlet's Book of Quotations). --Many people already have such a password dictionary, including me. Given that, would you think that changing just one or two characters of a passphrase would make it a strong passphrase. For instance: Frankly, my dear, I don't give a damn. Frankly, my d*ar, I don't give a damn. For protection against a passphrase attack, I would hope that the second passphrase would make it a much stronger passphrase. A passphrase that is a real phrase would make it easier for users to remember their password, but if it could be made much stronger by changing only one character it would be less of a burden on the users to remember. I appreciate your thoughts. --Yes, by all means include complexity if you want. It does complicate cracking considerably. My argument is that franklyidontgiveadamn is just as uncrackable in practical terms as a complex password, until we start seeing true passphrase crackers. What frustrates me though are all the systems that will accept Password2 as complex, but not youllneverguessmypasswordinathousandyearsormore. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 18)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)
- RE: ADS Password Storage Protection Baechle, Eric (Jul 17)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)