Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Complexity in the Enterprise?

Posted by ryuzaki0 on from the have-you-tried-remembering-line-noise-before dept.

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

1 of 216 comments (clear)

  1. Depending upon the system, that's sufficient. by khasim · · Score: 5, Informative

    The key is not how complex you can make a password.

    The key is how will an attacker defeat it.

    So, a simple password is sufficient if the attacker will not have enough chances (statistically) to defeat it. This is easy to accomplish by having a time delay between authentication attempts or a lock-out period. But this is only sufficient if you have a person actively monitoring the authentication logs.

    Example: Suppose you have a list of 10,000 common words. You take a random word, a digit (0-9) and another word, that will give you 10,000 x 10 x 10,000 possible combinations (1,000,000,000 or "one billion"). So, if you get 3 guesses before you're locked out for 15 minutes, then you can guess 12 passwords an hour ... 288 a day ... 864 over a 3 day weekend. Round that up to a thousand and it's still a "one chance in a million" to guess the password over 3 days of trying.

    As long as there is someone reviewing the logs, the attempts will be noticed and actions can be taken before there is any real chance of your password being cracked.

    And WordNumberWord is not that difficult to remember.

    Now, this is NOT a good practice for passwords for encrypted files or anything else that can be cracked off-line.