[unisog] [Fwd: Is the current password std flawed?]
jbarlow at ncsa.uiuc.edu
Fri Feb 25 15:25:37 GMT 2005
Here's another approach to passwords:
"Why you shouldn't be using passwords of any kind..."
On Fri, Feb 25, 2005 at 08:50:34AM -0600, Megan Carney wrote:
> While technically I think it's correct that restricting any passwords
> in a pool of possibilities decreases the total number of passwords,
> most of the password crackers I've seen don't do random passwords.
> They try the easily guessed passwords that are all characters, or like
> the username, etc. So it makes sense to force users to choose passwords
> that are hard to guess.
> On Feb 24, 2005, at 11:05 PM, Valdis.Kletnieks at vt.edu wrote:
> >On Thu, 24 Feb 2005 20:30:29 CST, "Clinton E. Troutman" said:
> >>CS's statement would be correct if:
> >>- it is known that a particular character position in any particular
> >>*must* contain *only* a numeric, or
> >But actually, you *DO* know that for many cases. For instance, if
> >is a *requirement* that at least 1 position have a numeric, you can
> >not bother
> >trying all the combinations that don't have at least 1 digit. So if
> >brute-forcing, and the min length is 8, and you're testing 'aaaaaaa'
> >another character, you can only try 10 and be done, rather than all 96
> >Similarly for *aaaaaaa, a*aaaaaa, aa*aaaaa, and so on...
> >To mathematically model it, let's say you have 8 positions and 96
> >usable chars.
> >If all 8 are free, you have 96^8. If you force a digit, you only have
> >(or only about 10% of the space). If you force a digit and a
> >"special", you're
> >down to 10*96^6*34, or about 3% of the original space.
> >A *better* way is the way that Fedora Core's 'pam_cracklib' does it:
> > minlen=N The minimum simplicity count for a good
> > dcredit=N
> > ucredit=N
> > lcredit=N
> > ocredit=N Weight, digits, upper, lower, other characters
> > count N. Use these values to compute the
> > 'unsimplicity' of the password.
> >So you can say, for instance, that you need to score at least 15
> >points. Let's
> >say we have d/u/l/o credit of 2/2/1/3 - so you can get there with a
> >password of
> >15 lower case chars, or 10 lower case, a digit, and a 'other', or 11
> >lower case
> >and 2 digits, or.... If you use a minlen of 20 or so with the weights
> >listed, you're creating a *HUGE* space an attacker has to choose
> >through - and
> >users can still come up with some easily memorable passphrases or
> >whatever. If
> >they don't want to type a lot, they can get to 21 points with just 7
> >characters and no letters/numbers at all. ;)
> >This way, you lose a *lot* less entropu, because no one position is
> >because there's more than one way to get the needed points....
> >unisog mailing list
> >unisog at lists.sans.org
> unisog mailing list
> unisog at lists.sans.org
James J. Barlow <jbarlow at ncsa.uiuc.edu>
Head of Security Operations and Incident Response
National Center for Supercomputing Applications Voice : (217)244-6403
605 East Springfield Avenue Champaign, IL 61820 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
More information about the unisog