[Dshield] Password Strength
gar at askgar.com
Tue Oct 19 11:48:24 GMT 2004
>When you are talking passwords, what it really comes down to is "crackability". What I teach students in track 2 is "a secure password is one that will not be broken with a reasonable about of CPU horsepower within the password change interval". One thing you don't mention is how
>often the password will be changed.
If I may follow along your thread here . . . if we were talking Windows
instead of Unix, is this a reasonable rule of thumb still? I know that
with the rainbow table lookups available now on the Internet an alpha
only password (no special chars or nums) now falls in seconds.
Does anyone know how big a rainbow table is required to mean ALL Windows
passwords fall in seconds?
Personally, I've gone to using "untypables" in my Windows passwords
(Alt+Num+### to generate a single character) but I can't see requiring
that of 1500 innocent end-users. I like the passphrase concept, but can
hear the groans already. On Windows, we believe one of the big
directions to move in is getting rid of the LanMan hashes, which at
least means you have to actually crack after all the upper and
lowercases, which seems to slow things down a bunch, but between divide
and conquer password ranges, we're still talking about every "typable"
password being cracked inside of 72 hours on modest hardware by
splitting the crack job across just ten machines, and since most users
only use a single special char if any at all, you usually hit within 24
And then of course you have the issue that any machine that can be made
to boot the floppy disk gets an instantly reset Windows password, which
usually leads to AT LEAST a Domain "Workstation Administrator" because
of the fact that Windows sets up a user and caches the password of the
PC Tech who logs in to install software.
I guess the questions, to recap, are:
1) how long does it take to crack 'complex' 8 character passwords? is
the rule of "make the change time lower than the crack time" still
applicable in today's crack environment?
2) can rainbow tables be made to "instant crack" complex passwords as
we've seen them do alphas and heard of them doing alphanums?
3) is there any downside to disabling LANMAN hashes?
4) is anyone actually stopping (domain-wide) the
that doesn't leave you with crippled machines?
I'll shut up now and listen.
More information about the list