Re: Secure Password Policy?

From: Stephen J. Smoogen (smooge@gmail.com)
Date: Thu Jan 19 2006 - 13:21:42 EST


On 1/19/06, Sulaiman, Wilmar <wsulaiman@siddharta.co.id> wrote:
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is
> either 6 or 8 characters. I guess SANS institute considered a weak
> password if it is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8 characters).
> Is there any documentation to backup it up why the best practice for
> minimum password length is set to 6?
>

It was explained to me a long time ago that the numbers came from how
long it takes to do a bruteforce attack against either a remote Unix
server using DES hash (or doing the bruteforce against the hash
without precompiled tables.) Each extra character increases the time
for cracking exponentially. You would then have a forced password
change time less than that would limit your risk . If the attacker has
the password (and the password has to have a special character some
amount of uppercase and lowercase) you can use the
charts here

http://www.mcgill.ca/ncs/products/security/understandpass/#time

              68 character space
            (8E+06 hashes/sec) (1E+00 hashes/sec)
letters seconds seconds
01 8.5E-06 6.8E+01 [ 1.0 m.]
02 5.8E-04 4.6E+03 [ 77.0 m.]
03 3.9E-01 3.1E+05 [ 3.6 d.]
04 2.7E+00 2.1E+07 [247.5 d.]
05 1.8E+02 1.4E+09 [ 46.1 y.]
06 1.2E+04 9.9E+10 [3.1E+03 y.]
07 8.4E+05 6.7E+12 [2.1E+05 y.]
08 5.7E+07 4.5E+14 [1.4E+07 y.]
09 3.9E+09 3.1E+16 [9.9E+08 y.]
10 2.6E+11 2.1E+18 [6.7E+10 y.]
11 1.8E+13 1.4E+20 [4.6E+12 y.]
12 1.2E+15 9.8E+21 [3.1E+14 y.]

for a nondistributed attack. A distributed attack would be a power of
2 less time. per appropriate number of machines in the distribution.

While it would seem that the time factor for a remote attack is
significantly large at 5 letter password.. one needs to take into
account to items.
Number of hosts that can do the attack [ power of 2 attack]
Number of hosts that the password can be tested against [power of 2 attack]

In a network with large number of hosts running some sort of service
that the password can be tested against you're time for finding a
match is smaller and you can evade very stupid IDS because you can go
slowly.

The brute force attack can be made much more efficient by building a
dictionary of common words, phrases, and adding various common
additions (number 1 at the end, or for l, etc) I do not have numbers
for how much more effective it is.. but I do know it can cut down a
search-time tremendously

--
Stephen J Smoogen.
CSIRT/Linux System Administrator
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT