Re: Suggested "safe" password length

From: Patrick M Darienzo Jr (pdarienzo_at_keyspanenergy.com)
Date: 11/14/03

  • Next message: Enquiries: "RE: Suggested "safe" password length"
    Date: Fri, 14 Nov 2003 14:59:07 -0500
    To: mike@genxweb.net, ashishs@iitg.ernet.in, security-basics@securityfocus.com
    
    

    I recently had a similar question about optimal password length from one
    of our relatively non-technical clients, who was told that it was better
    to use a 7 character password over one of eight. Here was our "plain
    English" response:

        For starters, a strong six character password is definitely better
    than a weak one of eight or nine.
        Next, everyone understands that a password with a length of, say, 2
    is easier to break than one of 7. If I told you that there was a high
    likelihood that it consisted of only special characters, it would take
    even less time to crack.
        Since an NT password is padded out to 14 characters and then broken
    into two 7-byte separate passwords, a 9-character password essentially
    becomes a 7-length password and a 2-length password.
        As password length increases, people tend to add the special
    characters at the end of the word (as in "ImaL3X!@2"). The result is
    that there is an increased likelihood that the final two characters
    ("@2" in this example) are special characters. If this was the extent of
    the password, it would be completely ineffectual. The extra two
    characters, in this case, are essentially irrelevent to the strength of
    the password. For all intents and purposes, it is as effective as a
    7-character password.
        The misconception is that decrypting the final two characters will
    aid a cracker in determining the first seven. Because of the hashing
    algorithm used to store NT passwords, there is no technical advantage to
    be gained from knowing the final two characters. The only way this might
    happen is if the cracker has set up a dictionary attack that looks for a
    recognized pattern. For example, if the 8-9 positions are "HI", the
    cracker might leap to try "ABCDEFG" as the first 7, or if mine was "ZO",
    he might try "PDARIEN" as a guess.
        Also, most password cracking tools are familiar with the common
    tricks of reversing words, letter substitution (using a "5" for an "S"
    or a "0" for an "O"), and keyboard sequencing ("qwertyuio"), so they do
    not make it any more difficult for a determined cracker.
        No one denies that the eighth character may be easily decrypted.
    However, a password with a length of 8 will be at least as hard to crack
    as one of 7 (again, provided the eighth character doesn't covertly
    convey any indication of a pattern).
        And likewise, a strong 8 character password is still better than a
    strong one of 7.
        And finally, the hashing algorithm, the password storage procedure
    and the manner in which Windows handles upper and lower case have all
    been improved in Windows 2000.
        For generally secure passwords, our recommendations were that the
    clients use the full eight characters, embedding non-alphabetics, using
    both upper and lower case (which I believe, was ignored in the old NT
    hashing ), and avoid having any part of the password be a word found in
    a dictionary..
    . Bottom line: Any password, no matter the length, is only as strong
    as the logic used in constructing it:

    Pat Darienzo, CISSP
    Keyspan

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: Enquiries: "RE: Suggested "safe" password length"

    Relevant Pages

    • Re: encryption tools
      ... I thought PGP had been tested to destruction and never failed. ... cracker. ... And even 27 characters isn't really ...
      (uk.comp.sys.mac)
    • RE: Suggested "safe" password length
      ... Since an NT password is padded out to 14 characters and then broken into ... Because of the hashing algorithm ... PGP / XML GATEWAY APPLIANCE ...
      (Security-Basics)
    • Re: Suggested "safe" password length
      ... windows only uses the first 8 characters -- of course, ... >The Presidio integrates PGP data encryption and XML Web Services security to ... Forum Systems PRESIDIO: ...
      (Security-Basics)
    • Re: Suggested "safe" password length
      ... characters in a password is six to eight characters in a combination of ... Upper Case Letters A, B, C, ... ... > simplify the management and deployment of PGP and reduce overall PGP costs ... The Presidio integrates PGP data encryption and XML Web Services security to ...
      (Security-Basics)
    • Re: Suggested "safe" password length
      ... >> and beyond which the characters are futile. ... > simplify the management and deployment of PGP and reduce overall PGP costs ... Forum Systems PRESIDIO: ... The Presidio integrates PGP data encryption and XML Web Services security to ...
      (Security-Basics)