[unisog] Password policies

Sheila Hollenbaugh sheila.hollenbaugh at wright.edu
Thu Apr 20 10:59:48 GMT 2006

We have machines which only recognize the first 8 characters of the 
password.  You can have longer passwords, but only the first eight 
characters are significant.  So character substitution is not viable if 
the first eight letters are a dictionary word.  And requiring 20 
characters is not useful.

Cosmin Stejerean wrote:
> I don't understand the constant worry that users can't remember their
> password so they have to write it down. I cannot see how someone
> logging in to the same workstation couple of times a day (people do
> lock their machines when they step away, right?) is going to forget a
> password. Sure, it might be difficult to remember the first couple of
> times but after that you should be able to type it with your eyes
> closed.
> Secondly, the big problem is user education. Users need to be educated
> on how to pick passwords that are easy to remember, hard to guess by
> another human and difficult for a computer to crack. Take a phrase
> like "I think frequent password changes are useless!" and transform it
> to something like "I#th!nk#fr3qu3nt#p@$$w0rd#ch at ng3$#@u$!3$$!" by
> doing simple character substitution. All you have to do is remember
> which substitutions you have made, heck write down the substitutions
> if you have to untill you get used to it. I have yet to see a
> rainbowtable that can crack this kind of password (assuming you're not
> using LM on a Windows network but that's a separate issue altogether)
> and it will take a decent amount of time to try to bruteforce all
> possible combinations. And changing this type of password frequently
> is not hard at all, all you do is pick a new phrase. Certainly I can
> see some theoretical attacks on this but they will most likely create
> specialized crackers that are bound to only work in limited situations
> and will require a sophisticated attacker that will probably be smart
> enough to find another way into the system.
> For this exact reason I think password requirements should be minimum
> 20 characters and require upper case, lower case, numbers and special
> characters, with at least 3 from each category. The problem I have is
> when institutions like my bank (I won't mention names) requires that
> my password be maximum of 8 characters and they don't allow special
> characters in the password, they go ahead and store my password in the
> clear (or some sort of reversible encryption in some database) and
> then send it to me via plaintext email when I click the "forgot
> password" link.
> On 4/19/06, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
>>On Wed, 19 Apr 2006 10:42:46 PDT, Saqib Ali said:
>>>>Requiring frequent changes only pushes people to writing the passwords
>>>>on sticky notes stuck to their monitors.  Is there any data to support
>>>>the idea that changing every 3 months is better than changing every
>>>>3 decades?
>>>Offcourse. It depends on how long it takes to crack / guess a
>>>password. If a hyrid-brute-force attack takes 3 months to crack a
>>>password, then having a password lifetime of 3 decade would be pretty
>>>The password expiration should be set to a time period that is LESS
>>>then the amount of time  required to brute-force a password.
>>If you have *any* sort of sane "max logon attempts/minute" rate restriction,
>>this shouldn't be a concern.  Remember that to brute force a password, the
>>attacker needs an oracle that will tell them if a given guess is correct or not.
>>If the attacker has gotten your system to cough up a hash, it's probably
>>pretty fast to attack it with either a botnet or rainbow tables.  So if that's
>>part of the threat model, the users are going to be changing passwords daily.
>>Sounds like the old S/Key all of a sudden.. ;)
>>And if the attacker doesn't have a hash, all you have to do is restrict them to
>>a guess a second and they'll be at it for years... ;)
>>unisog mailing list
>>unisog at lists.sans.org
> --
> Cosmin Stejerean
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

Sheila Hollenbaugh       Sr. Computer System Administrator (O-)
Wright State University  College of Engineering & Computer Science
Dayton, OH 45435         http://www.cs.wright.edu/people/staff/shollen/
sheila.hollenbaugh at wright.edu    Voice: (937) 775-5077  FAX: (937) 775-5009

They that weave networks shall be confounded.  --Isaiah 19:9 (KJV)

More information about the unisog mailing list