[Dshield] Password Strength

Chris Brenton cbrenton at chrisbrenton.org
Mon Oct 18 09:57:18 GMT 2004


On Sun, 2004-10-17 at 15:23, Shane Presley wrote:
>
> We have some new passwords being proposed for some unix accounts.  We
> use two factor for normal users.  But these are the root accounts. 
> They're locked away for emergency so use, but we still need them.  Are
> there any standards to test the strength?  So far they are all:
> 
> -8 or more characters
> -Upper and lower case
> -Include special characters
> -Are not based on any word
> 
> Anything else? Is there any sites/tools to test a password's relative
> strength?  So far all I know of is crack.

When you are talking passwords, what it really comes down to is
"crackability". What I teach students in track 2 is "a secure password
is one that will not be broken with a reasonable about of CPU horsepower
within the password change interval". One thing you don't mention is how
often the password will be changed.

As for tools, my personal favorite is John The Ripper: 
http://www.openwall.com/john/

Its fast and extremely flexible. As for what is a reasonable amount of
CPU, I use a baseline of a dozen systems. Given there are tools out
there like DJohn:
http://ktulu.com.ar/en/djohn.php

and folks 0wning zombie nets that consist of thousands of systems, I
think a dozen is pretty conservative. 

Since you are talking UNIX, you may want to up the minimum length to
10-12 characters. Remember that adding another password character under
UNIX increases the cracking time exponentially, it does not decrease it
like under Windows.  

HTH,
Chris





More information about the list mailing list