[unisog] [Fwd: Is the current password std flawed?]

Jim Barlow jbarlow at ncsa.uiuc.edu
Fri Feb 25 15:25:37 GMT 2005


Here's another approach to passwords:

"Why you shouldn't be using passwords of any kind..."

   http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx


On Fri, Feb 25, 2005 at 08:50:34AM -0600, Megan Carney wrote:
> While technically I think it's correct that restricting any passwords 
> in a pool of possibilities decreases the total number of passwords, 
> most of the password crackers I've seen don't do random passwords.
> 
> They try the easily guessed passwords that are all characters, or like 
> the username, etc. So it makes sense to force users to choose passwords 
> that are hard to guess.
> 
> Megan
> On Feb 24, 2005, at 11:05 PM, Valdis.Kletnieks at vt.edu wrote:
> 
> >On Thu, 24 Feb 2005 20:30:29 CST, "Clinton E. Troutman" said:
> >
> >>CS's statement would be correct if:
> >>- it is known that a particular character position in any particular 
> >>password
> >>*must* contain *only* a numeric, or
> >
> >But actually, you *DO* know that for many cases.  For instance, if 
> >there
> >is a *requirement* that at least 1 position have a numeric, you can 
> >not bother
> >trying all the combinations that don't have at least 1 digit.  So if 
> >you're
> >brute-forcing, and the min length is 8, and you're testing  'aaaaaaa' 
> >and
> >another character, you can only try 10 and be done, rather than all 96 
> >printables.
> >Similarly for *aaaaaaa, a*aaaaaa, aa*aaaaa, and so on...
> >
> >To mathematically model it, let's say you have 8 positions and 96 
> >usable chars.
> >If all 8 are free, you have 96^8.  If you force a digit, you only have 
> >10*96^7
> >(or only about 10% of the space).  If you force a digit and a 
> >"special", you're
> >down to 10*96^6*34, or about 3% of the original space.
> >
> >A *better* way is the way that Fedora Core's 'pam_cracklib' does it:
> >
> >        minlen=N        The minimum simplicity count for a good 
> >password.
> >
> >        dcredit=N
> >        ucredit=N
> >        lcredit=N
> >        ocredit=N       Weight, digits, upper, lower, other characters 
> >with
> >                        count N. Use these values to compute the
> >                        'unsimplicity' of the password.
> >
> >So you can say, for instance, that you need to score at least 15 
> >points. Let's
> >say we have d/u/l/o credit of 2/2/1/3 - so you can get there with a 
> >password of
> >15 lower case chars, or 10 lower case, a digit, and a 'other', or 11 
> >lower case
> >and 2 digits, or....  If you use a minlen of 20 or so with the weights 
> >I
> >listed, you're creating a *HUGE* space an attacker has to choose 
> >through - and
> >users can still come up with some easily memorable passphrases or 
> >whatever.  If
> >they don't want to type a lot, they can get to 21 points with just 7 
> >special
> >characters and no letters/numbers at all. ;)
> >
> >This way, you lose a *lot* less entropu, because no one position is 
> >"forced"
> >because there's more than one way to get the needed points....
> >_______________________________________________
> >unisog mailing list
> >unisog at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
James J. Barlow   <jbarlow at ncsa.uiuc.edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications    Voice : (217)244-6403
605 East Springfield Avenue   Champaign, IL 61820   Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow                    Fax : (217)244-1987



More information about the unisog mailing list