Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ADS Password Storage Protection

from [Roger A. Grimes] Network Security [Permanent Link]
Subject: RE: ADS Password Storage Protection
Date: Mon, 24 Jul 2006 19:17:22 -0400 
Theoretical password strength is X^L, where X is number of possible
characters that can be used (i.e. complexity) and L is (max.) length of
the password. Since L is the exponent, any change made to it is
exponentially greater than a similar change in X. It's basic math. 

Lots of people are misinterpreting my statement. Character for character
is a crucial part. 

My critics might say that in real life, X and L are normally implemented
in different increments. When an administrator increases complexity,
they add an entire set of new characters (say going from just lower case
to upper and lower case letters)...so that X would go from 26 to 52 with
a single requirement change. 

But if your users only use a limited set of characters (some studies say
X=32+-n) regardless of the true max. size of X, then increases in L can
quickly help offset the weakness of lower practical uses of X.

So to correct my first sentence, to correctly calculate the password
strength, X should be the number of possible characters in a password
that would be used by most users-- to get your user's effective password
strength. 

You can't ignore the fact that users are more likely to type in P@55w0rd
than `~%^&*() as their password.  Well, you can, but then it takes you
longer to crack real passwords if you pen test for a living.

One of the key statements I am promoting is that if you can't guarantee
the entropy of X, and you can't in most cases, L becomes a bigger player
than most people recognize in protecting real passwords.

Now, yes, complexity added to any password or passphrase makes it
stronger. I'm not doubting that. I can't doubt that. The math again. But
systems should stop promoting complexity, which is falsely represented
as stronger than it really is, while not considering the strength
benefits of increased length.

-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq@planetcobalt.net] 
Sent: Saturday, July 22, 2006 12:43 AM
To: security-basics@securityfocus.com
Subject: Re: ADS Password Storage Protection

On 2006-07-20 Roger A. Grimes wrote:

Here is my statement: That password length is a better defender of 
passwords than complexity, character for character, and that length 
should at least be given equal treatment when creating strong 
passwords.


I agree with the latter of your statement, but the former is plain
wrong. Length and complexity are equivalent, i.e. you can increase
either length or complexity (or both of course) to make a stronger
password. That's pretty obvious if you think about e.g. base64-encoding
a password: the encoding increases the length and decreases the
complexity, but doesn't affect the strength at all. It's due to the
physical limitations of keyboards that it's usually easier to increase
the length than the complexity.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Penetration tester skill set,, scott
Next by Date:  Re: Penetration tester skill set,, scott
Previous by Thread:  Re: ADS Password Storage Protection, Michael Rice
Next by Thread:  Re: AW: ADS Password Storage Protection, Joe Barr
Indexes:  [Date] [Thread] [Top] [All Lists]