RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)

From: Daniel Djundjek (danield@comcity.com.au)
Date: 07/08/02 

From: "Daniel Djundjek" <danield@comcity.com.au>
To: "Bill Royds" <broyds@rogers.com>, "Ben Nagy" <ben@iagu.net>, "Paul Robertson" <proberts@patriot.net>
Date: Mon Jul  8 19:37:01 2002

Gentlemen,

I like your thinking on the crypto attack side of things relating to
passwords, but I have a lightly different issue. How do you recommend to
a IT manager, that they need to have a min. of 8 characters. I found the
below article, but are you aware of any other articles or docs where
companies are 'forced' by legislation or self regulated bodies to
enforce such password control. When discussing entropy, MD5#, or
different types of password attacks to a non-technical person it's
difficult to convince them to go much further past 6 characters.

http://www.securityfocus.com/infocus/1319

Think of it this way. Most PIN Numbers for banks to take money out of an
electronic teller is 4 Digit's, and I can't remember the last time I was
forced to change this PIN code...

Regards
Daniel Djundjek
Senior Consultant

 
 

-----Original Message-----
From: Bill Royds [mailto:broyds@rogers.com]
Sent: Tuesday, 9 July 2002 2:36 AM
To: Ben Nagy; 'Paul Robertson'
Cc: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)

  One statement you made was incorrect :
        For a completely random hex password it's a pure 4 bits of
entropy per
        byte.[1]
A byte is 2 hex digits (nibbles) so a purely random hex password has 8
bits of entropy. This improves passwords a little.
  If we only allow the printable ASCII characters we have 2^7 -2^5 -1
characters (all -control - DEL) which has 6.57 bits of entropy. If we
use an 8 character password (typical Unix), then there are (2 ^
(6.57*8))=( 2^52.56) or 6.64E15 possible 8 character ASCII passwords.
This can be readily cracked on a purpose designed parallel machine (<
bits than DES) but not a home computer assuming MD5 is not harder than
DES.A 20 TB store can hold them all. Not home computer but easy
commercial size. Passwords are not a security fence, just a delaying
tactic.
 But the size of a large English dictionary is about 300K words or
about 18.2 bits of entropy (assuming that they are independent, which is
not true), much smaller than 52.56 and easily cracked on a home
computer. Even 2 words with a 3 digits and a separator will give no more
than 40 bits. So the rule is: "if you can remember the password, it is
easily cracked", Since this is a dictionary attack, it really doesn't
matter about the hashing method since on can readily computer 2^40 word
combinations and store the hashes and passwords in a 3GB database, even
for MD5.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Ben Nagy
Sent: Mon July 08 2002 01:16
To: 'Paul Robertson'
Cc: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Paul Robertson
[...]
[This is Paul]
> > > IMO, strong passwords are dead- dictionaries are too good
> > > now,[...]
> >
[This is me]
> > I can't buy that without being shown more numbers[...]
[Paul]
> I don't have great numbers[...]
[Me]
> > I'm not good at this sort of stuff

This is sounding fantastic, isn't it? Firewall Wizards - where the gurus
hang out. ;)

> > but for the space
> > required for the
> > md5sums of typeable passwords at 12 characters I get 5.94e24 bytes,
>
> I'm assuming that's 116 printable characters?

No, I just looked at my laptop keyboard and went "1,2,3, um...4....", so
it's only 94.
 
> > For time,with the 4.1e6 ops/second figure
> > you quoted elsewhere for md5, I took a million processors
> and [probably had my hand down my pants]

[lots of performance stuff snipped]

> In '94 the estimates for finding a collison in MD5 were 24
> days for a $10M
> custom-built machine.

I think that finding any MD5 collision is not a useful work comparison
to guessing a specific password. Also, we already know that the
collision thing (birthday attack) is the area of MD5 operation that
crypto geeks are most worried about.

[...]
> Until then, I'd appreciate any other insights people have.

Let's look at it upside down (I should have approached it this way from
the start).

For a completely random hex password it's a pure 4 bits of entropy per
byte.[1]

Completely random typeables comes out at 6.55 something bits for my 94
character keyboard.

Let's say that order 2^64 is still "safe" for work attacks (that's an
arbitrary figure I Just Made Up. I get to do that because it's my
email.).

So, we need 16 random hex characters, or 10 random typeables.

The trouble is that memorable or, worse, dictionary passwords have
waaaaaaay less entropy than that. I've heard english language quoted as
~1.3b/b (so we need about 50 characters in our passphrase). Even
passwords that people _think_ are random "because they just made them up
at random" I'd guess would be under 4b/b.

So, basically, Paul was pretty much right at the start in saying that
strong passwords are "dead", because I'm prepared to bet heavily that
very few people select truly random passwords of that length in
practice. (Although I do routinely use md5sums of random things for VPN
shared secrets).

> Paul

Whee.

I should be less flippant, but, oh well.

[1] For those to whom this is confusing, I'll explain. There are 16 hex
characters, right? And, like, 16 is 2^4, right? So, for this one
character there are 16 possibilities, 2^4, ie "4 bits worth of entropy".
You're allowed to just add these numbers up as you add more characters,
because of mathy exponential goodness. There you go - now you can write
"information theory" on your resume.[2]

[2] I have no point here, I just like footnotes. 

--
Ben Nagy
Delirious Sick Fool
Mb: TBA  PGP Key ID: 0x1A86E304 
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)
    ... When they see that you can find passwords so easily, they will start demanding better passwords. ... difficult to convince them to go much further past 6 characters. ... entropy per ... bits than DES) but not a home computer assuming MD5 is not harder than ...
    (Firewall-Wizards)
  • Re: Safe password?
    ... >> but as was pointed out by others, what kind of characters? ... >> that gives you the theoretical ability to put 512-bits of entropy into the ... >> yes I do have passwords that I memorized in octal, ... >There are plenty of European languages which provide quite a few more ...
    (sci.crypt)
  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ... I can see only two advantages of complex passwords: ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • RE: Password statistics and standards
    ... If you shut off the storage of LM hashes, over 9 Characters will buy you ... Take a look at Perfect Passwords for some creative ideas: ... information about accounts which is helpful in telling me ... Norwich University ...
    (Security-Basics)