Re: Strong Passwords Revisited

From: Alun Jones (alun@texis.com)
Date: 01/24/03 

From: alun@texis.com (Alun Jones)
Date: Thu, 23 Jan 2003 23:03:41 GMT

In article <s5l7kcvsj52.fsf@dilbert.pointyhairedbosses.de>, Ernst-Udo
Wallenborn <ernst-udo.wallenborn@freenet.de> wrote:
>Passwords become easier to crack if you lower their entropy. By restricting
>the password space you can accidentally do this. Normally, however, you
>increase the password entropy if you enforce rules like "password must
>have letters and numbers, be 8 characters long and contain at least
>one special character". If you enforce these rules, people will (at
>least that's the theory) choose passwords that are less likely to
>be found in an attacker's dictionary.

Not always. Sometimes you can reduce the size of an attacker's dictionary.
H4X0R-speak is a problem in this regard - let's say you've required each
password contain at least one number; okay, that's a very good idea, but then
you'll find that your users simply pick words with the letters i, o, e or a in
them, using 1, 0, 3 or 4 in their place.

If your users were using English words before, and they're now using English
words with a number in place of a particular letter, the attacker's dictionary
can now be filtered _down_ to a smaller size.

Similarly, let's assume that your users aren't using English words, and that
the attacker is tasked with doing a brute-force attack. Then, you require at
least one character to be a digit - you've actually removed a portion of the
keyspace, and made the brute-force significantly quicker. You have to be
careful in enforcing password-choice restrictions to ensure that your
restrictions make the most likely attacks less effective, not more.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

Relevant Pages

  • Re: Strong Passwords Revisited
    ... >increase the password entropy if you enforce rules like "password must ... If your users were using English words before, ... the attacker is tasked with doing a brute-force attack. ... least one character to be a digit - you've actually removed a portion of the ...
    (comp.security.misc)
  • Re: Strong Passwords Revisited
    ... >increase the password entropy if you enforce rules like "password must ... If your users were using English words before, ... the attacker is tasked with doing a brute-force attack. ... least one character to be a digit - you've actually removed a portion of the ...
    (comp.os.ms-windows.nt.admin.security)
  • Wide character, portable function to parse words like OClock as one word?
    ... In English words like "O'Clock" contain an embedded character ... rules like "a quote immediately followed and preceded by an alphabet character is not treated as punctuation" must be added. ... I mean, I know what the rules are for English, but the whole point of the wide characters is to support other languages portable, and it would seem the somewhere in the LC_CTYPE information set this information should be present and accessible. ...
    (comp.lang.c)