Re: Secure Password Policy?

["Stephen J. Smoogen" <smooge () gmail com>]

On 1/19/06, Sulaiman, Wilmar <wsulaiman () siddharta co id> wrote:
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is
> either 6 or 8 characters. I guess SANS institute considered a weak
> password if it is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8 characters).
> Is there any documentation to backup it up why the best practice for
> minimum password length is set to 6?

It was explained to me a long time ago that the numbers came from how
long it takes to do a bruteforce attack against either a remote Unix
server using DES hash (or doing the bruteforce against the hash
without precompiled tables.) Each extra character increases the time
for cracking exponentially. You would then have a forced password
change time less than that would limit your risk . If the attacker has
the password (and the password has to have a special character some
amount of uppercase and lowercase) you can use the
charts here

http://www.mcgill.ca/ncs/products/security/understandpass/#time

              68 character space
            (8E+06 hashes/sec) (1E+00 hashes/sec)
letters      seconds           seconds
01           8.5E-06           6.8E+01 [  1.0 m.]
02           5.8E-04           4.6E+03 [ 77.0 m.]
03           3.9E-01           3.1E+05 [  3.6 d.]
04           2.7E+00           2.1E+07 [247.5 d.]
05           1.8E+02           1.4E+09 [ 46.1 y.]
06           1.2E+04           9.9E+10 [3.1E+03 y.]
07           8.4E+05           6.7E+12 [2.1E+05 y.]
08           5.7E+07           4.5E+14 [1.4E+07 y.]
09           3.9E+09           3.1E+16 [9.9E+08 y.]
10           2.6E+11           2.1E+18 [6.7E+10 y.]
11           1.8E+13           1.4E+20 [4.6E+12 y.]
12           1.2E+15           9.8E+21 [3.1E+14 y.]


for a nondistributed attack. A distributed attack would be a power of
2 less time. per appropriate number of machines in the distribution.

While it would seem that the time factor for a remote attack is
significantly large at 5 letter password.. one needs to take into
account to items.
Number of hosts that can do the attack [ power of 2 attack]
Number of hosts that the password can be tested against [power of 2 attack]

In a network with large number of hosts running some sort of service
that the password can be tested against you're time for finding a
match is smaller and you can evade very stupid IDS because you can go
slowly.

The brute force attack can be made much more efficient by building a
dictionary of common words, phrases, and adding various common
additions (number 1 at the end, or for l, etc) I do not have numbers
for how much more effective it is.. but I do know it can cut down a
search-time tremendously



--
Stephen J Smoogen.
CSIRT/Linux System Administrator

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------