Re: ADS Password Storage Protection

Ansgar -59cobalt- Wiechers wrote:

On 2006-07-20 Roger A. Grimes wrote:


Here is my statement: That password length is a better defender of
passwords than complexity, character for character, and that length
should at least be given equal treatment when creating strong
passwords.


I agree with the latter of your statement, but the former is plain
wrong. Length and complexity are equivalent, i.e. you can increase
either length or complexity (or both of course) to make a stronger
password. That's pretty obvious if you think about e.g. base64-encoding
a password: the encoding increases the length and decreases the
complexity, but doesn't affect the strength at all. It's due to the
physical limitations of keyboards that it's usually easier to increase
the length than the complexity.

I think his assertion works out mathematically. The possible combinations of 6 character passwords using only lowercase letters of the alphabet are

26^6 = 308915776

The possible combination of 16 character passwords using only lowercase letters are:

26^16 = 43608742899428874059776

The possible combinations of 6 character passwords using a-zA-Z0-9 and your favorite 32 punctuation:

95^6 = 735091890625

You can see, in n^k, increasing k means increasing the outcome much faster than increasing n. Increasing the possible combinations means increasing the time to discover the password through pure brute force methods.

Once humans are introduced, it becomes more complicated than this.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: Password hashes
    ... There is no such thing as an NTLMV2 hash. ... While I am a believer of enforcing complex passwords the bigger issue is if ... computers you need to review the physical security of your computers. ... > broken up into two 7 character units. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ADS Password Storage Protection
    ... passwords than complexity, character for character, and that length ... Length and complexity are equivalent, ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
    (Security-Basics)
  • Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
    ... hash security. ... > generating dictionary lists using different character sets for the ... secure or it isn't, for the level of computation possible by today's ... Yes, good passwords are always a must, along with a good ...
    (Full-Disclosure)
  • Re: Someone said 256 bits is not enough
    ... the "chosen by humans" in "passphrases chosen by humans are not ... Considering about 4 bits entropy per character ... I would like to ask about passwords for myself. ...
    (sci.crypt)
  • Re: how to change the existing password settings on FC3
    ... atleast 1 alphanumeric character, atleast 1 upper case character and there ... non-alphanumeric chars. ... away with shorter passwords by mixing characters. ... B = passwords from 2 character classes ...
    (Fedora)