Re: Password Cracking
From: Lohkee (Lohkee@worldnet.att.net)
Date: 01/24/03
- Next message: Ernst-Udo Wallenborn: "Re: Password Cracking"
- Previous message: DaveK: "Re: Strong Passwords Revisited"
- In reply to: Fireglyph: "Re: Password Cracking"
- Next in thread: Fireglyph: "Re: Password Cracking"
- Reply: Fireglyph: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Lohkee" <Lohkee@worldnet.att.net> Date: Fri, 24 Jan 2003 17:44:39 GMT
"Fireglyph" <fireglyph@gmx.net> wrote in message
news:7c07a877.0301240745.623ca1ab@posting.google.com...
> "Lohkee" <Lohkee@worldnet.att.net> wrote in message
news:<Wx5Y9.1226$rq4.108092@bgtnsc05-news.ops.worldnet.att.net>...
> > "Fireglyph" <fireglyph@gmx.net> wrote in message
> > news:3e309b54$0$3034$9b622d9e@news.freenet.de...
> >
> > > In other words, you're completely right that if *all* users are
> > > following the advice of security experts, hackers could adjust their
> > > password crackers to the entropy underlying the well-known password
> > > generation scheme and suddenly former weak passwords could become
> > > strong passwords - and strong passwords could become weak ones.
> >
> > This is precisely my point with regard to the typical rules for strong
> > passwords.
>
> I'm sorry, but now that I have thought about the problem again, I became
> aware of the fact that I was talking rubbish.
>
> We have to differentiate between *strength* and *risk*.
>
> By definition, strength depends only on one distribution, not - as I
said -
> on two. That is, it depends on the entropy of the password scheme we have
> chosen. For a given password scheme, the entropy doesn't change and
therefore
> strong passwords will always remain strong and weak passwords will always
> remain weak (with regard to all possible probability distributions).
>
> What could change though is the *risk*. Please, see my other posting which
> is a reply to Mark Gordon.
>
> Have a nice day,
>
> Fireglyph
This is not in reply to this particular message, rather thoughts about the
thread in general. I think we tend to get hung up on the password as being
somehow pivotal. We have a manual attack (typically insider) and an
automated attack (typically outsider). We also have numerous control
mechanisms at our disposal (outlined in my original paper, number of
attempts, etc, etc) that can be used to reduce risk. In the case of a manual
attack, perhaps we can agree that words found in a dictionary are "strong."
True, an attacker might try proper words first, but, depending on the
controls in place he might only have three attempts; might need to have
physical access to the workstation within a given time frame, etc, etc.
With an automated attack, he needs access to the password file. If the
attacker can get to this file then it seems our discussion is moot (and that
the system has far bigger problems than just weak passwords) with regard to
strong password rules in that all passwords can/perhaps will be cracked
within the typical lifespan of a those passwords (about ninety days assuming
the password to be less than nine characters). If, for example, the system
allows passwords shorter than 9 chars it is then pointless to crack them to
enforce "stronger" passwords since all can be broken and are therefore
essentially "weak" by default - we only have to look at the minimum
password length to know we have a problem. I think my point here is forcing
users to remember difficult passwords serves no real purpose other than to
piss them off and burden the help desk unnecessarily. The real issue (in my
mind anyway) is the effective use of the many available control mechanisms
to mitigate risk in the event of either type of attack. Cracking passwords
does not do this.
Lohkee!
- Next message: Ernst-Udo Wallenborn: "Re: Password Cracking"
- Previous message: DaveK: "Re: Strong Passwords Revisited"
- In reply to: Fireglyph: "Re: Password Cracking"
- Next in thread: Fireglyph: "Re: Password Cracking"
- Reply: Fireglyph: "Re: Password Cracking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
