[Dshield] Password Strength
Benjamin M.A. Robson
ben at robson.ph
Mon Oct 18 10:53:17 GMT 2004
Chris Brenton wrote:
>On Sun, 2004-10-17 at 15:23, Shane Presley wrote:
>>We have some new passwords being proposed for some unix accounts. We
>>use two factor for normal users. But these are the root accounts.
<snip.. see original in threa ..snip>
>>Anything else? Is there any sites/tools to test a password's relative
>>strength? So far all I know of is crack.
>When you are talking passwords, what it really comes down to is
>"crackability". What I teach students in track 2 is "a secure password
>is one that will not be broken with a reasonable about of CPU horsepower
>within the password change interval". One thing you don't mention is how
>often the password will be changed.
I am going to leap in here armed with my 2 cent pieces....
When considering a password change schedule (i.e. passwords are to be
changed every N periods), it's very easy to get hung up on the idea of
changing them every 3 months, or even every month. The problem is that
whilst changing every month, or three months may lower the window in
which a CPU might brute force the password it increases the likelyhood
that one of your users will write the password down and stick it to the
back of their keyboard. Also a frequent password change cycle will
encourage users to use the same password every N times (with at best a
minor modification). So a cracker could just find out how often they
are changed, and how many differet passwords need to be used before the
cycle starts again (any decent cracker can social engineer this info')
and they have now opened their cracking window to be significantly wider.
When being asked about password change cycles I advise people not to
consider anything more frequent than once every three months, but to
consider four or five month cycles. The advantage of a slightly longer
window is that users feel less burdoned when asked to -remember- good
Remember, users(humans) are dumb and lazy. Unless you make it easy for
them, they will make it easy for themselves. Even if this breaks the rules.
Sorry out of coins for now.
More information about the list