[unisog] [Fwd: Is the current password std flawed?]

Brown, Matthew A. mbrown at highpoint.edu
Fri Feb 25 15:15:48 GMT 2005

.... and hopefully these problems will all be resolved in the next 3-7
years by affordable, reliable biometric solutions.

Matthew Brown
High Point University

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Michael Holstein
Sent: Friday, February 25, 2005 9:48 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] [Fwd: Is the current password std flawed?]

> By asking that all passwords must have a numeric and a special
> we are making it easier for cracking tools because we have effectively
> reduced the "pool" of possible password combinations; e.g. no need to
> check for a password such as "gHsrYBoZ" as this would be rejected as
> valid.

Mathematically speaking, he/she's correct. But the "brute force" mode is

seldom actually required to get at least one halfway-useful password. In

my experience doing (legitimate) password audits, I get better than half

during the dictionary or hybrid phase (with common substitutions turned 
on). In all cases, this has included at least one admin or service

Therefore, I'd say that enforcing some degree of complexity (without 
being overly specific like saying a number must occupy a particular 
character position) is better than letting users pick their own 
passwords (we all know the dog's name, kid's birthday, etc. will be 
their first choice if left to their devices).

However, the enforced degree of complexity is directly proportional to 
the probability you'll find the password on a post-it under the 
keyboard, admins not excepted.

Furthermore, users are quite adept at devising passwords that meet our 
(IT) requirements but are still really easy. You require 8 characters 
with 3/4 types, they'll pick 'M1chael' (my name) instead of the simple 
'michael'. Any cracker would get that in a few seconds.

If you want really secure passwords, the idea has always been to use 
multifactor involving a token or biometric.

My $0.02.

Michael Holstein CISSP GCIA
Cleveland State University
unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list