[unisog] Password policies

Cosmin Stejerean cstejerean at gmail.com
Wed Apr 19 22:26:49 GMT 2006

I don't understand the constant worry that users can't remember their
password so they have to write it down. I cannot see how someone
logging in to the same workstation couple of times a day (people do
lock their machines when they step away, right?) is going to forget a
password. Sure, it might be difficult to remember the first couple of
times but after that you should be able to type it with your eyes

Secondly, the big problem is user education. Users need to be educated
on how to pick passwords that are easy to remember, hard to guess by
another human and difficult for a computer to crack. Take a phrase
like "I think frequent password changes are useless!" and transform it
to something like "I#th!nk#fr3qu3nt#p@$$w0rd#ch at ng3$#@u$!3$$!" by
doing simple character substitution. All you have to do is remember
which substitutions you have made, heck write down the substitutions
if you have to untill you get used to it. I have yet to see a
rainbowtable that can crack this kind of password (assuming you're not
using LM on a Windows network but that's a separate issue altogether)
and it will take a decent amount of time to try to bruteforce all
possible combinations. And changing this type of password frequently
is not hard at all, all you do is pick a new phrase. Certainly I can
see some theoretical attacks on this but they will most likely create
specialized crackers that are bound to only work in limited situations
and will require a sophisticated attacker that will probably be smart
enough to find another way into the system.

For this exact reason I think password requirements should be minimum
20 characters and require upper case, lower case, numbers and special
characters, with at least 3 from each category. The problem I have is
when institutions like my bank (I won't mention names) requires that
my password be maximum of 8 characters and they don't allow special
characters in the password, they go ahead and store my password in the
clear (or some sort of reversible encryption in some database) and
then send it to me via plaintext email when I click the "forgot
password" link.

On 4/19/06, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> On Wed, 19 Apr 2006 10:42:46 PDT, Saqib Ali said:
> > > Requiring frequent changes only pushes people to writing the passwords
> > > on sticky notes stuck to their monitors.  Is there any data to support
> > > the idea that changing every 3 months is better than changing every
> > > 3 decades?
> >
> > Offcourse. It depends on how long it takes to crack / guess a
> > password. If a hyrid-brute-force attack takes 3 months to crack a
> > password, then having a password lifetime of 3 decade would be pretty
> > foolish.
> >
> > The password expiration should be set to a time period that is LESS
> > then the amount of time  required to brute-force a password.
> If you have *any* sort of sane "max logon attempts/minute" rate restriction,
> this shouldn't be a concern.  Remember that to brute force a password, the
> attacker needs an oracle that will tell them if a given guess is correct or not.
> If the attacker has gotten your system to cough up a hash, it's probably
> pretty fast to attack it with either a botnet or rainbow tables.  So if that's
> part of the threat model, the users are going to be changing passwords daily.
> Sounds like the old S/Key all of a sudden.. ;)
> And if the attacker doesn't have a hash, all you have to do is restrict them to
> a guess a second and they'll be at it for years... ;)
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Cosmin Stejerean

More information about the unisog mailing list