[Dshield] Password Strength

Benjamin M.A. Robson ben at robson.ph
Mon Oct 18 10:53:17 GMT 2004

Chris Brenton wrote:

>On Sun, 2004-10-17 at 15:23, Shane Presley wrote:
>>We have some new passwords being proposed for some unix accounts.  We
>>use two factor for normal users.  But these are the root accounts. 
<snip.. see original in threa ..snip>

>>Anything else? Is there any sites/tools to test a password's relative
>>strength?  So far all I know of is crack.
>When you are talking passwords, what it really comes down to is
>"crackability". What I teach students in track 2 is "a secure password
>is one that will not be broken with a reasonable about of CPU horsepower
>within the password change interval". One thing you don't mention is how
>often the password will be changed.
I am going to leap in here armed with my 2 cent pieces....

When considering a password change schedule (i.e. passwords are to be 
changed every N periods), it's very easy to get hung up on the idea of 
changing them every 3 months, or even every month.  The problem is that 
whilst changing every month, or three months may lower the window in 
which a CPU might brute force the password it increases the likelyhood 
that one of your users will write the password down and stick it to the 
back of their keyboard.  Also a frequent password change cycle will 
encourage users to use the same password every N times (with at best a 
minor modification).  So a cracker could just find out how often they 
are changed, and how many differet passwords need to be used before the 
cycle starts again (any decent cracker can social engineer this info') 
and they have now opened their cracking window to be significantly wider.

When being asked about password change cycles I advise people not to 
consider anything more frequent than once every three months, but to 
consider four or five month cycles.  The advantage of a slightly longer 
window is that users feel less burdoned when asked to -remember- good 
-quality- passwords.

Remember, users(humans) are dumb and lazy.  Unless you make it easy for 
them, they will make it easy for themselves.  Even if this breaks the rules.

Sorry out of coins for now.


More information about the list mailing list