Re: Strong Passwords Revisited

From: Lohkee (
Date: 01/21/03

From: "Lohkee" <>
Date: Tue, 21 Jan 2003 02:07:22 GMT

"John Elsbury" <> wrote in message
> On Sun, 19 Jan 2003 21:04:59 GMT, "Lohkee" <>
> wrote:
> <snip>
> >On one hand we have an "attacker" who is literally handed the
> >password file which he then runs against a password cracker on a
> >system at extremely high speeds (essentially an unlimited number of
> >to identify a given password), on the other hand we have an attacker who
> >must first somehow penetrate your system and successfully capture the
> >password file (all without ever being detected and stopped - in which
> >you have a far more serious problem on your hands than weak passwords)
> >before he can even begin to think about cracking those passwords!
> >to equate these two vastly different scenarios is absurd. Think about it
> >a moment; hackers would have had free rein on almost every system
> >imaginable for the past twenty years if the results typically obtained by
> >password crackers were representative of anything even remotely close to
> >reality.
> >
> I think that says it all. A password is one of a set of control
> measures, and has to be seen in that context. Other control measures
> in the set include:
> Not making the password file (even encrypted) available to anybody
> other than those with a genuine need;
> Not allowing users to reuse passwords;
> Forcing periodic password expiry;
> Blocking / disbaling login accounts after a (small) set number of
> failed access attempts;
> Logging and auditing exception conditions (such as failed password
> attempts).
> There is a convenience / security formula which will include factors
> like:
> * Password length and composition rules (to avoid trivial passwords)
> -vs - probability that a user will have trouble remembering them;
> * Number of attempts before account gets locked -vs - probability that
> legitimate users will get locked out (or have their access denied by
> mischievous persons) - vs - probability that a wild guess will
> succeed;
> * Cost/Number of Help Desk calls arising from forgotten passwords -vs
> - incidence of forgotten passwords (tokens like SecurID sell based on
> this margin)
> Frequency and quality of exception audit and follow-up activity.
> <snip>

All of which can be measured and evaluated mathematically. Security through
science or security through superstition. To me, it's a no-brainier
(although I do admit seem to being in a very, very small minority - welcome
to the club john)!