--See below.
-----Original Message-----
From: Harold Winshel [mailto:winshel@camden.rutgers.edu]
Sent: Friday, July 21, 2006 6:46 AM
To: Roger A. Grimes; Depp, Dennis M.; security-basics@securityfocus.com
Subject: RE: ADS Password Storage Protection
Roger,
Thanks for the great detailed answer.
Regarding the shorter complex passwords, my understanding is that the
reason many organizations recommend a complex password but only up to 8
characters long is because many unix systems don't support a password
longer than that.
--Some mainframes and older systems only support 6 and 7 character
passwords.
And the organizations don't want to tell the users to use an 8-character
password for their unix systems but to use 15 characters for their
Windows systems. So they keep it simple and just one have short (8
character) password policy.
-True. It's a management decision. It's just that at 8 characters, it's
really pretty easy to crack even with "complexity".
And if the password is only going to be 8 characters, it needs to be
complex for dictionary attack and other similar reasons.
-Yes, that's many times the reasoning. But it is a little strange to
weaken all other systems because of one poor system, don't you think?
For purposes of a password policy for windows users - if I understand
your comments - we would suggest a 15-character minimum password, and it
can be a passphrase, but we should try to make it something that
wouldn't appear in some body of work that would be a candidate for
digitizing for purposes of a password attack.
-A min. of 15 character passwords is my suggestion for admin and root
passwords. Non-privileged users can be given something shorter. What
size? That's up to mgmt and IT...but I personally believe 10 characters
should be the minimum, just because it stops the casual attacker fairly
well. It's up to you, if you want to use complexity, but a 10-character
password is somewhat resistant to attack, especially if the attacker
isn't sure whether or not complexity is required.
I'm not suggesting that it needs to be a phrase that never appeared in
any book or newspaper or magazine or any periodical in the history of
the world. But if I wanted to pick out two or three books that I would
not want the passphrase to appear in, I would exclude a popular book of
quotes (such as Bartlet's Book of Quotations).
--Many people already have such a password dictionary, including me.
Given that, would you think that changing just one or two characters of
a passphrase would make it a strong passphrase. For instance:
Frankly, my dear, I don't give a damn.
Frankly, my d*ar, I don't give a damn.
For protection against a passphrase attack, I would hope that the second
passphrase would make it a much stronger passphrase.
A passphrase that is a real phrase would make it easier for users to
remember their password, but if it could be made much stronger by
changing only one character it would be less of a burden on the users to
remember.
I appreciate your thoughts.
--Yes, by all means include complexity if you want. It does complicate
cracking considerably. My argument is that franklyidontgiveadamn is just
as uncrackable in practical terms as a complex password, until we start
seeing true passphrase crackers. What frustrates me though are all the
systems that will accept Password2 as complex, but not
youllneverguessmypasswordinathousandyearsormore.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
