Re: AD and enforced password policies

[Steven Bellovin <smb () cs columbia edu>]

On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote:

> On Mon, Jan 2, 2012 at 22:32, Jimmy Hess <mysidia () gmail com> wrote:
> ....
> > The sole root cause for "easily guessable passwords"  is  not  lack of
> > technical restrictions. It's also:  lazy or limited memory humans who need
> > passwords that they can remember.
> >
> > Firstname1234!    is very easy to guess, and meets complexity and usual
> > length requirements.
>
> Obligatory xkcd reference:  http://xkcd.com/936/
Thanks; you saved me the trouble.

There's a discussion of the topic going on right now on a cryptography mailing
list; check out http://lists.randombit.net/mailman/listinfo/cryptography if you want.
Also see my (mostly tongue in cheek) blog post at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html
and the very serious followup at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html

I should add that except for targeted attacks, strong passwords are greatly
overrated; neither phishing attacks nor keystroke loggers care how good your 
password is.

I just went through some calculations for a (government) site that has the
following rules:

      Minimum Length : 8
      Maximum Length : 12
      Maximum Repeated Characters : 2
      Minimum Alphabetic Characters Required : 1
      Minimum Numeric Characters Required : 1
      Starts with a Numeric Character
      No User Name
      No past passwords
      At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`!

Under the plausible assumption that very many people will start with a string
of digits, continue with a string of lower-case letters to reach seven characters,
and then add a period, there are only ~5,000,000,000 choices.  That's not many at
all -- but the rules look just fine...



                --Steve Bellovin, https://www.cs.columbia.edu/~smb