NIST has published guidelines on password strength that the OMB and Homeland
Security have apparently pledged support for under FISMA, at least this was
what the government guys at the OWASP conference said. In any case check out
Appendix A of the document at
http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf .... I
strongly encourage you to check out this part of the paper as the assertions
made about what makes a password "strong enough" are pretty enlightening.
It all comes down to entropy to protect against a guessing or brute force
attack, and length to protect against a dictionary attack. But entropy /
randomness drops dramatically when a user CHOOSES their password (making
guessing exponentially easier). My suggestion would be to look at the 4 levels
of security outlined in the document and equate those to the needs of your
environment. Note that levels 3 and 4 both require multi-factor authentication
(i.e. passwords are dead for highly sensitive resource protection).
If you think an asset that an account has privileges to is somewhat worth
protecting and that passwords are still viable, an (average) entropy of 20-30
bits (with an appropriate lock-out policy, say one minute after 3 wrong
attempts) is probably sufficient in terms of guessing attacks. This translates
to passwords with a length between 5-8 characters (that also pass a 50,000 word
dictionary test and contain capitals, special characters, and numbers). The
NIST document has a nice table outlining entropy levels for passwords of
various lengths and with various assumptions about password policy; this is not
100% accurate data as the document explains, but is NIST's best estimate on
AVERAGE entropy for passwords.
If you are protecting a privileged set of resources / account, you might want
to require up to 40 bits of (average) entropy. In practice, 40-bits translates
to an 18-20 character pass phrase, assuming the use of at least one capital
letter + one or more numbers + one or more special characters (dictionary tests
lose their value at this length per the NIST guidelines).
Again, entropy is helping defeat guessing attacks and brute force, but length
is your best defense against dictionary attacks ... thus for what I'd consider
level 2 security, I'd require 20 characters instead of 18. This should be
sufficient to avoid any rainbow table attack in the forseeabe future (or at
least within a reasonable lifetime for the password). Note there are rainbow
tables in existance that pre-hash anything in the 94-character range
(everything you can hit on the keyboard, including space) up to 12 character
passwords ... if you're worried about this attack, you proably want to require
14 characters for Level 1 IMHO.
Hope this helps.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
