[unisog] Password policies

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Apr 19 18:10:56 GMT 2006


On Wed, 19 Apr 2006 10:42:46 PDT, Saqib Ali said:
> > Requiring frequent changes only pushes people to writing the passwords
> > on sticky notes stuck to their monitors.  Is there any data to support
> > the idea that changing every 3 months is better than changing every
> > 3 decades?
> 
> Offcourse. It depends on how long it takes to crack / guess a
> password. If a hyrid-brute-force attack takes 3 months to crack a
> password, then having a password lifetime of 3 decade would be pretty
> foolish.
> 
> The password expiration should be set to a time period that is LESS
> then the amount of time  required to brute-force a password.

If you have *any* sort of sane "max logon attempts/minute" rate restriction,
this shouldn't be a concern.  Remember that to brute force a password, the
attacker needs an oracle that will tell them if a given guess is correct or not.

If the attacker has gotten your system to cough up a hash, it's probably
pretty fast to attack it with either a botnet or rainbow tables.  So if that's
part of the threat model, the users are going to be changing passwords daily.
Sounds like the old S/Key all of a sudden.. ;)

And if the attacker doesn't have a hash, all you have to do is restrict them to
a guess a second and they'll be at it for years... ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20060419/17fc817b/attachment.bin


More information about the unisog mailing list