[unisog] [Fwd: Is the current password std flawed?]
Brown, Matthew A.
mbrown at highpoint.edu
Fri Feb 25 15:15:48 GMT 2005
.... and hopefully these problems will all be resolved in the next 3-7
years by affordable, reliable biometric solutions.
High Point University
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Michael Holstein
Sent: Friday, February 25, 2005 9:48 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] [Fwd: Is the current password std flawed?]
> By asking that all passwords must have a numeric and a special
> we are making it easier for cracking tools because we have effectively
> reduced the "pool" of possible password combinations; e.g. no need to
> check for a password such as "gHsrYBoZ" as this would be rejected as
Mathematically speaking, he/she's correct. But the "brute force" mode is
seldom actually required to get at least one halfway-useful password. In
my experience doing (legitimate) password audits, I get better than half
during the dictionary or hybrid phase (with common substitutions turned
on). In all cases, this has included at least one admin or service
Therefore, I'd say that enforcing some degree of complexity (without
being overly specific like saying a number must occupy a particular
character position) is better than letting users pick their own
passwords (we all know the dog's name, kid's birthday, etc. will be
their first choice if left to their devices).
However, the enforced degree of complexity is directly proportional to
the probability you'll find the password on a post-it under the
keyboard, admins not excepted.
Furthermore, users are quite adept at devising passwords that meet our
(IT) requirements but are still really easy. You require 8 characters
with 3/4 types, they'll pick 'M1chael' (my name) instead of the simple
'michael'. Any cracker would get that in a few seconds.
If you want really secure passwords, the idea has always been to use
multifactor involving a token or biometric.
Michael Holstein CISSP GCIA
Cleveland State University
unisog mailing list
unisog at lists.sans.org
More information about the unisog