RE: [fw-wiz] Stanford break in

From: Melson, Paul (
Date: 04/23/04

  • Next message: Victor Williams: "RE: [fw-wiz] Stanford break in"
    To: "Carric Dooley" <>
    Date: Fri, 23 Apr 2004 09:46:45 -0400

    In most high-security environments password policies are quickly
    becoming outmoded because processing and storage capacity have become
    cheap and exponentially greater over a very short period of time. There
    are a set of formulas that you can use to calculate the probability of
    success of password guessing attacks. These are published in the
    Department of Defense Password Management Guideline (CSC-STD-002-85),
    among other places.

    The problem is that precomputational guessing attacks like RainbowCrack
    for NTLM and AsLeap for Cisco LEAP have cut the amount of actual time
    necessary to calculate a password from its ciphertext to a minute
    fraction of what previous dictionary or brute-force attacks required.
    And though you can use an unseemly password policy to make these attacks
    difficult now, storage and processing capacity will continue to become
    greater and cheaper. However, I don't expect that we'll start adding
    more characters to our keyboards at a rate that can keep up.


    > -----Original Message-----
    > Decide on password guidelines like alpha-numeric, mixed case, and one
    > special character, and leave it to a dll like passfilt.dll or
    > something similar. Yellow stickies just comes down to end-user
    > education, and a good password policy. If the requirements are: "14
    > random alpha-numeric chars, with 5 special chars and mixed case.. OH,
    > and change it weekly" you will most likely have a sticky note
    > problem.. if it's: "7 chars, alpha-numeric, one special char and mixed

    > case changing every 42 days
    firewall-wizards mailing list

  • Next message: Victor Williams: "RE: [fw-wiz] Stanford break in"