Just to chime in (not necessarily in response to your post Mike, just using
this as my response entry)
There really isn't a "best practice" to password length in generic terms.
Without a corresponding protocol and authentication model, there isn't much
value in assigning some arbitrary length to a password. Generally, the
longer the better, but it all depends on how the password is being stored
and/or transmitted.
Passwords sent via SMTP, POP3, HTTP (basic), etc can be any length and it
won't matter as they are transmitted in the clear (HTTP basic being Base64).
Passwords stored or sent in LM can be up to 14 characters, but the password
is stored as two independent 7 character hashes. (Someone posted about 8 and
13-- you were close ;) LM hashes are cracked in seconds. But the same
password authenticated on the wire via NTLM is far more secure.
If one gets access to the SAM on Windows box, then the password hash is
stored in both LM and NTLM for compatibility reasons. This can be turned
off via registry (or by having a password > 14 characters in Win2k+) but if
you don't do that and someone has access to an unencrypted SAM, they can
attack with LM cracks.
Then again, even with a 14 character NTLM password, rainbow table attacks
(or brute force attacks with the right equipment) can be successful in very
short periods of time. By contrast, a 6 character password authenticated
over NTLMv2 cannot be cracked via rainbow tables as domain/user information
is used during the negotiation as opposed to the password hash in
singularity.
I used to go for "complex" passwords and such, but for the last several
years (ever since Win2k allowed you to have 128 char pwd) I've gone for
simple, but long passphrases. As stated earlier, in general, the longer the
better. Some people think that "1*&ZdhfA" is secure, and it can be in the
right model, but user's won't remember that. Something like "I hate my boss
and want him to burst into flames" is much better, and about impossible to
crack with current methods (unless sent unsecured over the network.)
So, in short, "it all depends." ;)
t
-----
"I'll see your Llama and up you a Badger."
John T
----- Original Message -----
From: "Mike Harlan" <mike@spacedata.biz>
To: <pen-test@securityfocus.com>
Sent: Thursday, January 19, 2006 10:06 AM
Subject: FW: Secure Password Policy?
I believe that the 6-8 rule is in place because it would take an extremely
long time (or lucky guess) to crack the password at this length.
Especially
when used with the other recommended practices (uppercase, lowercase,
special characters, numbers). Also, remember that we have to put forth as
much effort to protect our info as we think that it is worth to us or our
customers.
-----Original Message-----
From: Sulaiman, Wilmar [mailto:wsulaiman@siddharta.co.id]
Sent: Thursday, January 19, 2006 5:12 AM
To: pen-test@securityfocus.com
Subject: Secure Password Policy?
Dear all,
I noticed that "best practice" for Minimum password length policy is
either
6 or 8 characters. I guess SANS institute considered a weak password if it
is less than 8 characters.
I would like to know where they derived the number (6 and 8 characters).
Is there any documentation to backup it up why the best practice for
minimum
password length is set to 6?
Wilmar Sulaiman
Risk Advisory Services
KPMG Siddharta Siddharta & Widjaja
32nd Floor, GKBI Building
28, Jl. Jend. Sudirman
Jakarta 10210, Indonesia
J : +62 (0) 21 574 2333
Fax : +62 (0) 21 574 1777
**********************************************************************
The information in this e-mail is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this e-mail
by anyone else is unauthorized. If you have received this communication in
error, please address with the subject heading "Received in error," send
to
postmaster@siddharta.co.id, then delete the e-mail and destroy any copies
of
it. If you are not the intended recipient, any disclosure, copying,
distribution or any action taken in reliance on it, is prohibited and may
be
unlawful. Any opinions or advice contained in this e-mail are subject to
the
terms and conditions expressed in the governing Siddharta Siddharta &
Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
conclusions and other information in this e-mail and any attachments that
do
not relate to the official business of the firm are neither given nor
endorsed by it.
Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot guarantee
that
e-mail communications are secure or error-free, as information could be
intercepted, corrupted, amended, lost, destroyed, arrive late or
incomplete,
or contain viruses.
Siddharta Siddharta & Widjaja - Registered Public Accountants, registered
in
Indonesia, is a member firm of KPMG International. PT Siddharta
Consulting,
a limited liability company registered in Indonesia, is a member firm of
KPMG International. KPMG International is a Swiss cooperative of which all
KPMG firms are members. KPMG International provides no professional
services
to clients. Each member firm is a separate and independent legal entity
and
each describes itself as such.
This footnote also confirms that this e-mail message has been swept by
MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com
for more information.
**********************************************************************
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web
attacks
before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
