[unisog] [Fwd: Is the current password std flawed?]
michael.holstein at csuohio.edu
Fri Feb 25 14:48:09 GMT 2005
> By asking that all passwords must have a numeric and a special character
> we are making it easier for cracking tools because we have effectively
> reduced the "pool" of possible password combinations; e.g. no need to
> check for a password such as "gHsrYBoZ" as this would be rejected as not
Mathematically speaking, he/she's correct. But the "brute force" mode is
seldom actually required to get at least one halfway-useful password. In
my experience doing (legitimate) password audits, I get better than half
during the dictionary or hybrid phase (with common substitutions turned
on). In all cases, this has included at least one admin or service account.
Therefore, I'd say that enforcing some degree of complexity (without
being overly specific like saying a number must occupy a particular
character position) is better than letting users pick their own
passwords (we all know the dog's name, kid's birthday, etc. will be
their first choice if left to their devices).
However, the enforced degree of complexity is directly proportional to
the probability you'll find the password on a post-it under the
keyboard, admins not excepted.
Furthermore, users are quite adept at devising passwords that meet our
(IT) requirements but are still really easy. You require 8 characters
with 3/4 types, they'll pick 'M1chael' (my name) instead of the simple
'michael'. Any cracker would get that in a few seconds.
If you want really secure passwords, the idea has always been to use
multifactor involving a token or biometric.
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog