Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ADS Password Storage Protection

from [Eoin Miller] Network Security [Permanent Link]
Subject: Re: ADS Password Storage Protection
Date: Tue, 18 Jul 2006 16:54:57 -0400
Roger A. Grimes wrote:
Length is always more important than complexity because password
keyspace is expressed as Y^X, where Y is the number of possible
characters and X is the password length. Thus, any similar increase in X
has significantly more impact than to Y. 

Roger,

That relies upon the assumption of all attackers performing attacks that attempt all possible characters all the time. In most attempts to break passwords, the attacker will remove the uncommonly used characters from being attempted. Since users try and follow the bare minimum requirements, not adding complexity requirements can have a detrimental effect. Consider the following hypothetical situation:

An internal employee has sniffed hashes from a network (we will assume there are no shortcuts/weaknesses in the algorithm). The internal company policy only requires 8 character length passwords and nothing more. Which will be broken first by the attacker who is only trying to crack a hash with lowercase letters [a-z]?

A hash generated from a 10 character password that was created with only lowercase [a-z].

or

A hash generated from a 8 character password that was created with lowercase [a-z], uppercase [A-Z], numerical [0-9].

The likely combinations to guess are not only derived from the length of the password but also from the minimum requirements instituted by the password policy. Having password complexity requirements forces attackers into using more possible combinations. I will not argue that length or complexity is more important than the other because situations can arise that expose the weakness of either. Both are required (and complement each other) when instituting a sound password policy.

--Eoin

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ADS Password Storage Protection-4 Books for 4 Characters, dave kleiman
Next by Date:  RE: ADS Password Storage Protection, Roger A. Grimes
Previous by Thread:  RE: Re: Re: RE: ADS Password Storage Protection, Harold Winshel
Next by Thread:  RE: ADS Password Storage Protection, Roger A. Grimes
Indexes:  [Date] [Thread] [Top] [All Lists]