Re: Strong Passwords & Password Cracking (Final Version?)

From: Eric Chamberlain (telogix@hotmail.com)
Date: 03/09/02 

From: "Eric Chamberlain" <telogix@hotmail.com>
Date: Sat, 09 Mar 2002 22:38:48 GMT

"Lohkee" <lohkee@worldnet.att.net> wrote in message
news:eusi8.24117$106.2006042@bgtnsc05-news.ops.worldnet.att.net...
>
> "Eric Chamberlain" <telogix@hotmail.com> wrote in message
> news:7sfi8.1755$J%.787827938@newssvr21.news.prodigy.com...
> > I would have to disagree with a number of your assumptions.
> >
> > "Lohkee" <lohkee@worldnet.att.net> wrote in message
> > news:ISai8.22561$106.1846293@bgtnsc05-news.ops.worldnet.att.net...
> > > Strong Passwords & Password Cracking
> > > Copyright (C) 2002 by Lohkee
> > > All Rights Reserved
> > >
> > >
> > > The security community repeatedly tells us that a strong password will
> be
> > > much more difficult for an attacker to break than will a weak one, and
> > > because of this, we should encourage the use of strong passwords in
> order
> > to
> > > protect our systems from those who would attempt to gain unauthorized
> > access
> > > by cracking passwords. The wisdom of this advice is continually
> > reinforced
> > > by an army of security consultants who are more than happy to
> demonstrate
> > > the ease with which commonly available password cracking software can
> > > recover so-called "weak" passwords, i.e., words taken from a
dictionary,
> > > common names, etc.
> > >
> >
> > A strong password is a password that is not subject to a dictionary
attack
> > or uses a common name. Strong passwords basically forces a brute force
> > method of discovery. Brute force generally takes longer than a
dictionary
> > attack. You are reading too much into the term strong.
>
>
> You have got to be kidding me. I stand by my *correct* definition of the
> source of password strength.
> If your definition of strong is correct, then I could have a system with
> only three possible passwords, and as long as
> none of them were in a dictionary or a common name. For that matter I
could
> allow 1 or 2 character passwords and still be ok.
> I notice that you are a CISSP. Whether you disagree with me or not, you
may
> want to do some research on passwords and PW strength from before you
> embarrass yourself too much. You may also want to read my "Paradigms"
paper.
>

A strong password should survive an attack for a given amount of time. If
you only get one attempt at a password, then one or two characters could be
sufficient. If a given password takes 50 days to break on the average
machine and you change passwords every 30 days, permitted character
combinations matter less.

>
> >
> > > These same experts frequently recommend the use of special password
> > filters
> > > designed to systematically enforce password complexity by disallowing
> any
> > > password that does not meet some predefined rule set, or the running
of
> > > password cracking software in conjunction with the appropriate
feedback
> to
> > > any user unfortunate enough to have their password "cracked" by the
> > program.
> > > Some experts even recommend using both techniques simultaneously
> (although
> > > to do so is a rather bizarre contradiction when you stop and really
> think
> > > about it). Regardless of the method chosen, the goal is essentially
the
> > > same, to reduce risk by enforcing the use of strong passwords.
> > >
> >
> > I would say the goal is to reduce risk by enforcing the use of better
> > passwords.
>
>
> We can prove that mechanisms which significantly reduce the number of
> possibilities are NOT better or stronger.
>

If your system is just theory then what you say is true, but my systems
operate in the real world with real users, they do not choose random
passwords. So we have to give them rules to force a minimum entropy in
their passwords.

What size user base and environments have you had expereince with? 

--
--
Eric Chamberlain
CISSP, CCNA, CCDA, MCSE, CCA

Relevant Pages

  • Re: More on RC4/n
    ... >unreasonably long streams of RC4/5 in a couple hours and long streams ... >extending a current guess (gather.c was used to gather statistics on ... >2^^121 value guesses that standard brute force would require. ... >I don't know if this attack could be extended to RC4/6. ...
    (sci.crypt)
  • Re: Hacked Passwords
    ... But Windows authentication is quite venerable by now, and it's hard for me to imagine a new kind of attack against them. ... The main attack against Windows authentication isn't an exploit of any flaw in the cryptographic algorithm, but simple brute force guessing, comparison and retrying. ... take a significant amount of time to brute force crack [as long as they are not split into smaller 7-character LM Hash segments], and I believe it's prohibitively difficult for pre-compiled hash tables to scale up that high. ...
    (microsoft.public.security)
  • Re: Creating a Password
    ... >> 1) A dictionary attack tries every word, number, or combination of such ... > Brute force is guessing, ie a webbased email account. ... Commonly used passphrases. ...
    (alt.computer.security)
  • Re: Creating a Password
    ... >> 1) A dictionary attack tries every word, number, or combination of such ... > Brute force is guessing, ie a webbased email account. ... Commonly used passphrases. ...
    (microsoft.public.security)
  • Re: Farm animal fights.
    ... Is it common for any of these domestic animals to attack or kill the ... If so would a group of chickens or a rooster ... In other words, amongst the common barn yard animals, which ones are most ...
    (misc.rural)