Re: Strong Passwords Revisited

From: Jason Olson (
Date: 02/19/03

From: Jason Olson <>
Date: Wed, 19 Feb 2003 11:09:13 -0800

Very good post! Although here are a few cents for ya....

The standard "strong" password scheme (such as min length, types of
characters,etc) which you propose to be a weakness is only such if the
attacker knows that the particular system is using such schemes.
Otherwise they cannot exclude the potential password combinantions. If
they come into knowledge of these policies, then your problem is
something other than "outside, brut force" attacks. Otherwise, it's
just educational mathematics that permit you to reduce the number of
possible combinations. There is no reasonable way for a true outside
attacker to know what scheme you are using. And if we take the
"standard" 8 character password length - and I was an attacker, I
would only spend the time to crack the 8 characters and then move on
elsewhere because for every character after 8, the time jumps
exponentially! Simply by this methodolgy, then an 9 character password
would be enherintly much stronger.

Additionally, if I was a "would be attacker" I already KNOW that many
people (even people that should know better) use very simple
passwords, even all lower case (very common). It would be far easier
(if my intent was to cause general havoc, instead of directed harm
towards a specific individual --- which I would assume is a larger
than those who are directed towards a specific individual) to simply
run a lower-case-only-brute-force-attack. That would run
astronomically faster...Somethink around 28,731 times faster --- or
say it in more real terms... instead of taking 2 hours to brute force
an 8 character, lower case password --- it would take 15,366 hours --
roughtly 1.6 years for a mixed case password!!! Now in reality, it
would take MUCH LESS TIME, but the factor of 1:28,731 is still the
same... SO YES, I would rather attempt to hack away at 28,000 machines
for a simple password than a ONE complex password. And I am sure that
I would be very successful at finding at least one weak account
(probably many) out of the 28,000 machines!

Regarding dictionary attacks, I think your correct about the
indifference to the computer between the two passwords, such as
zucchini and #4H!F -- well at least if they were the same length
anyways! But the problem with dictionary or other known information
(wife's name, etc) -- is not from an outside attack, but rather an
internal one... yes, we need to protect against these too... Sure,
corp policy which results in termination is good 'policy' but often
discovered too late... If you have a subordinate who acquires his
managers password (because dicitionary or common passwords are MUCH
MUCH easier to remember than 'random' characters) then harm can be
done. We need to also protect against these. Also, while harder to
make 'rules' against... when I was a sales associate we were required
to constantly change our passwords very frequently (but there was no
restriction on what we changes it to, other than it could not be
repeated) -- so we often chose simple numbers on the number pad that
was in sequence... such as 8-5-2-0 (straight down the middle) or
9-5-1-7-5-3 (an x accross the numberpad)... those, while perhaps
mathematically complex are very very simply for shoulder-lookers to
acquire. This sort of thing is not easily "policized" but the solution
to this is what they required us to do... Change often.... and never
repeat.... The problem is that because it was so often we changed, we
chose simple ones or variations off the old one... But if the password
was only good for two weeks, then it was okay...

So the bottom line (if there really is one) is that the mathematics is
great - I love math -- but there is a very human side to things which
I think needs to alway be accounted for. Yes the math you provided is
mostly correct, but the human factor is also very significant.
Remember, the security is only as good as the weakest link... Often
relating to password, although not always regarding "enforcing strong
passwords" schemes.


On Sun, 19 Jan 2003 21:04:59 GMT, "Lohkee" <>

>After thinking about prior comments to the original version of this paper, I
>decided to do a rewrite. Much is the same as it was, however, there are a
>few new thoughts. Same rules as before. Enjoy!
>Strong Passwords (DRAFT FOR COMMENT)
>Copyright (C) 2003 by Lohkee!
>All Rights Reserved

Relevant Pages

  • Re: Vote on R6RS, if you have the time to write a 150-word essay
    ... to now defined scheme, and, it's not doing it in the best way. ... The character set extension to unicode is borked too. ... the standard tries to standardize far too much. ...
  • Re: Lisps future
    ... It is said that learning Scheme ... MIT/Gnu Scheme) provide pretty much everything that the Common Lisp ... the scheme standard originated as the *Intersection* of about ... and the character set is infinite. ...
  • Re: Extending 5-level code
    ... :>> The standard gives the impression that the null character is intended ... practise, in some countries, of using the null character as a third shift, ... non-Latin alphabet can be accessed. ... My web site shows the particular scheme in use for Russian, ...
  • Re: Strong Passwords Revisited
    ... > attacker knows that the particular system is using such schemes. ... > attacker to know what scheme you are using. ... > would only spend the time to crack the 8 characters and then move on ... > So the bottom line is that the mathematics is ...
  • Re: Saving a password locally
    ... The config file is then encrypted with a 256-bit encryption ... I don't understand quite what your scheme is trying to achieve. ... the attacker will most likely post the ... is this some kind of DRM scheme? ...