[unisog] [Fwd: Is the current password std flawed?]

Megan Carney mcarney at oitsec.umn.edu
Fri Feb 25 14:50:34 GMT 2005


While technically I think it's correct that restricting any passwords 
in a pool of possibilities decreases the total number of passwords, 
most of the password crackers I've seen don't do random passwords.

They try the easily guessed passwords that are all characters, or like 
the username, etc. So it makes sense to force users to choose passwords 
that are hard to guess.

Megan
On Feb 24, 2005, at 11:05 PM, Valdis.Kletnieks at vt.edu wrote:

> On Thu, 24 Feb 2005 20:30:29 CST, "Clinton E. Troutman" said:
>
>> CS's statement would be correct if:
>> - it is known that a particular character position in any particular 
>> password
>> *must* contain *only* a numeric, or
>
> But actually, you *DO* know that for many cases.  For instance, if 
> there
> is a *requirement* that at least 1 position have a numeric, you can 
> not bother
> trying all the combinations that don't have at least 1 digit.  So if 
> you're
> brute-forcing, and the min length is 8, and you're testing  'aaaaaaa' 
> and
> another character, you can only try 10 and be done, rather than all 96 
> printables.
> Similarly for *aaaaaaa, a*aaaaaa, aa*aaaaa, and so on...
>
> To mathematically model it, let's say you have 8 positions and 96 
> usable chars.
> If all 8 are free, you have 96^8.  If you force a digit, you only have 
> 10*96^7
> (or only about 10% of the space).  If you force a digit and a 
> "special", you're
> down to 10*96^6*34, or about 3% of the original space.
>
> A *better* way is the way that Fedora Core's 'pam_cracklib' does it:
>
>         minlen=N        The minimum simplicity count for a good 
> password.
>
>         dcredit=N
>         ucredit=N
>         lcredit=N
>         ocredit=N       Weight, digits, upper, lower, other characters 
> with
>                         count N. Use these values to compute the
>                         'unsimplicity' of the password.
>
> So you can say, for instance, that you need to score at least 15 
> points. Let's
> say we have d/u/l/o credit of 2/2/1/3 - so you can get there with a 
> password of
> 15 lower case chars, or 10 lower case, a digit, and a 'other', or 11 
> lower case
> and 2 digits, or....  If you use a minlen of 20 or so with the weights 
> I
> listed, you're creating a *HUGE* space an attacker has to choose 
> through - and
> users can still come up with some easily memorable passphrases or 
> whatever.  If
> they don't want to type a lot, they can get to 21 points with just 7 
> special
> characters and no letters/numbers at all. ;)
>
> This way, you lose a *lot* less entropu, because no one position is 
> "forced"
> because there's more than one way to get the needed points....
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list