Penetration Testing mailing list archives
Re: FW: Secure Password Policy?
From: kindageeky () gmail com
Date: 21 Jan 2006 08:59:47 -0000
NIST has published guidelines on password strength that the OMB and Homeland Security have apparently pledged support for under FISMA, at least this was what the government guys at the OWASP conference said. In any case check out Appendix A of the document at http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf .... I strongly encourage you to check out this part of the paper as the assertions made about what makes a password "strong enough" are pretty enlightening. It all comes down to entropy to protect against a guessing or brute force attack, and length to protect against a dictionary attack. But entropy / randomness drops dramatically when a user CHOOSES their password (making guessing exponentially easier). My suggestion would be to look at the 4 levels of security outlined in the document and equate those to the needs of your environment. Note that levels 3 and 4 both require multi-factor authentication (i.e. passwords are dead for highly sensitive resource protection). If you think an asset that an account has privileges to is somewhat worth protecting and that passwords are still viable, an (average) entropy of 20-30 bits (with an appropriate lock-out policy, say one minute after 3 wrong attempts) is probably sufficient in terms of guessing attacks. This translates to passwords with a length between 5-8 characters (that also pass a 50,000 word dictionary test and contain capitals, special characters, and numbers). The NIST document has a nice table outlining entropy levels for passwords of various lengths and with various assumptions about password policy; this is not 100% accurate data as the document explains, but is NIST's best estimate on AVERAGE entropy for passwords. If you are protecting a privileged set of resources / account, you might want to require up to 40 bits of (average) entropy. In practice, 40-bits translates to an 18-20 character pass phrase, assuming the use of at least one capital letter + one or more numbers + one or more special characters (dictionary tests lose their value at this length per the NIST guidelines). Again, entropy is helping defeat guessing attacks and brute force, but length is your best defense against dictionary attacks ... thus for what I'd consider level 2 security, I'd require 20 characters instead of 18. This should be sufficient to avoid any rainbow table attack in the forseeabe future (or at least within a reasonable lifetime for the password). Note there are rainbow tables in existance that pre-hash anything in the 94-character range (everything you can hit on the keyboard, including space) up to 12 character passwords ... if you're worried about this attack, you proably want to require 14 characters for Level 1 IMHO. Hope this helps. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Secure Password Policy?, (continued)
- Re: Secure Password Policy? bf (Jan 21)
- RE: Secure Password Policy? Mark Atherton (Jan 19)
- Re: Secure Password Policy? intel96 (Jan 22)
- Re: Secure Password Policy? DMORROW5 (Jan 19)
- RE: Secure Password Policy? Jarmon, Don R (Jan 19)
- Re: Secure Password Policy? Sean Earp (Jan 22)
- FW: Secure Password Policy? Mike Harlan (Jan 20)
- Re: FW: Secure Password Policy? Rurouni Alucard Kawarami Himura (Jan 22)
- RE: FW: Secure Password Policy? Erin Carroll (Jan 23)
- Re: Secure Password Policy? Thor (Hammer of God) (Jan 23)
- Re: FW: Secure Password Policy? Rurouni Alucard Kawarami Himura (Jan 22)
- Re: FW: Secure Password Policy? kindageeky (Jan 21)
- Re: Secure Password Policy? Marek Isalski (Jan 22)
- RE: Secure Password Policy? Anders Thulin (Jan 22)
- RE: Secure Password Policy? Shenk, Jerry A (Jan 22)
- RE: Secure Password Policy? Todd Towles (Jan 22)