A couple of general comments.
For many people, 6 characters 'has a nice feel to it', minimises password
guessing in a ~30 day change window _when_ 5 failures == account lock.
I don't understand why people would use annual or 90-day change windows,
personally.
In other words, password length, complexity, change period and failure
thresholds need to be considered as one security control, not individually,
imho.
Lots of banks only require 6 characters for online banking, or even just 6
digits.
RACF-enabled IBM mainframes (os/390, zOS etc) are typically limited to 8
characters maximum length.
Rainbow tables make password up to around 8 characters easy to crack, if the
attacker has the time to pre-compute the tabes. Making rainbow tables beyond
8 is long term planning, and somewhat disk intensive for script-kiddy level
attacks.
NTLM hases are trivial - effective max password length is 7, or 2x7
'passwords'
Seriously motivated attacks will be internal, and have other ways to
get/guess passwords imho, or get in via other means (local access the
escalate or remote access then escalate), since it's probably quicker to
attack via means other than password cracks/guesses at 8+ character lengths.
If your threat model includes being up against government/fortune500
resources, then passwords are the least of your problems since they are
after information, not system access.
Lyal
-----Original Message-----
From: Mike Dieroff [mailto:michael@bluescreenit.co.uk]
Sent: Friday, 20 January 2006 4:39 AM
To: Sulaiman, Wilmar
Cc: pen-test@securityfocus.com
Subject: Re: Secure Password Policy?
Hi there,
As far as I remember, the NTLANMAN hash maxed at 8 and LM hashes at 13
characters... could be corrected...
I have not really heard of any 'secure' implementation with 6 character
passwords - The minimum today would be:
1.) Password length: 8 characters
2.) Full complexity: Upper and lower case, numerals, alphanumerics <----
Don't forget the spacebar here!!always a good one!
3.) Max age average of around 40 - 60 days dependant
4.) History of around 10 passwords
Hope this helps,
Mike
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
