Slashdot Mirror

← Back to Stories (view on slashdot.org)

Calculating Password Policy Strength Vs. Cracking

Posted by Soulskill on from the one-two-three-four-five dept.

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

25 of 231 comments (clear)

  1. Is this a problem? by khasim · · Score: 4, Insightful

    Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

    The solution is not complexity. It is limiting the number of attempts and logging the process and having a HUMAN review the logs on a daily basis.

    1. Re:Is this a problem? by wjh31 · · Score: 2, Insightful

      unless you have a botnet so as each infected computer is blocked, others in the net take their turn. To get 65 guesses per minuite at 3 guesses per 5 minuites i think would only take about 100 computers

    2. Re:Is this a problem? by osu-neko · · Score: 3, Insightful

      A good system does both, since otherwise on failure the attacker can just try a different account (they're usually not concerned with hacking a particular account, they just want any old account). So, limit the number of attempts on a particular account, AND limit the number of attempts from a particular source.

      --
      "Convictions are more dangerous enemies of truth than lies."
    3. Re:Is this a problem? by blincoln · · Score: 3, Insightful

      Anyways we can crack the passwords in a couple hours or less from the password hash on a workstation.

      If it's taking you "a couple hours" to crack a Windows password that meets the criteria you specified, you're using the wrong tool. Have a look at Ophcrack, then see if you ever want to use a less-than-15-character password on a Windows system again.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  2. Yeah right by Brian+Gordon · · Score: 4, Insightful

    With 8 characters you have to make on the order of 10^15 guesses. To go through all of those guesses in 90 days you have to try 783.9 million combinations per second.

    1. Re:Yeah right by Celeste+R · · Score: 4, Insightful

      How many of us use truly random passwords?

      Consider the dictionary attack, combined with numbers, symbols and other words, and it's really not quite so random.

      --
      There are no perfect answers, only the right questions. More questions at http://foresightandhindsight.blogspot.com/
    2. Re:Yeah right by TheLink · · Score: 2, Insightful

      Yeah, I wonder how he got the 65 per minute figure for passwords that pass some simple complexity test ("complexity enabled").

      Anyway, it usually takes one or two phone/support calls to bypass a password.

      People make it even easier nowadays:
      Mother's maiden name?
      Where was your father born?

      The trouble with such stupid questions is it makes it harder for those who know what they are doing. The sheeple will just cheerfully give their passwords away to the next person who asks or for a free beer.

      --
    3. Re:Yeah right by Packet+Pusher · · Score: 2, Insightful

      This whole new password every 90 days things blows monkey chunks too. All it does is make me have a half a dozen passwords or more likely variations on a few passwords that I never know which one belongs where and end up putting every valid password into all the wrong sites.

      If the password is strong to begin with then changing it every 90 days is stupid. Who's to say the password I change it to isn't next on the list to be guessed?

      Monitor systems for strange access, restrict my access to just what I need, let me know the last place and time I access sensitive systems from and leave my fracking password alone.

  3. Under the radar by Fuzzums · · Score: 3, Insightful

    And 65 guesses per minute is hardly something that should trip ANY rule of an IDS.

    --
    Privacy is terrorism.
  4. The focus should be on the account. by khasim · · Score: 4, Insightful

    It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.

    Yes, this does allow for DoS attacks. So what? It's better to have the legitimate owner locked out so that he can call to find out why than it is to have his account cracked.

    1. Re:The focus should be on the account. by mysidia · · Score: 5, Insightful

      What happens when a bot comes out whose sole purpose is to discover all usernames on a system (including the admin users), via dictionary attack, common variations, and lock them all out, by making exactly 3 attempts per account?

      i.e. Hackers whose goal in life is to disrupt access to the system rather than to break in.

    2. Re:The focus should be on the account. by maxume · · Score: 3, Insightful

      You switch to physical tokens?

      For the most part, if you are protecting something valuable, you will be willing to spend more resources than someone just trying to be a nuisance. That doesn't make them any less of a nuisance, but it isn't particularly hard to work around them.

      I guess this sort of sucks for someone trying to run a small forum or something, but they could do something crazy like support OpenID.

      --
      Nerd rage is the funniest rage.
  5. Missing part of his formula by DoofusOfDeath · · Score: 5, Insightful

    Did he remember to model the fact that if you make your password requirements sufficiently rigorous....

    (A) People will increase risk by having to write them down, or

    (B) People will try to stop using your system, which is a different but related kind of failure?

  6. Frequency of change is irrelevant! by Geoffrey.landis · · Score: 2, Insightful

    As an example, Grimes assumes... 90 days between password change

    How long you go between password changes is an irrelevant parameter, since a password change does not change the probability of success of a brute-force attack (i.e., any change is just as likely to change the password into the window of attack as it is to move it out of the window.)

    Requiring frequent password change doesn't change the success statistics at all if the attacker is attacking multiple accounts. Even if the attacker is focussed on a single account, however, requiring a password change at intervals doesn't change the mean time it takes to break an account; it merely means that success is guaranteed, rather than probable, after twice the mean time (since that the mean time to break in is after exactly half the passwords have been tried.)

    --
    http://www.geoffreylandis.com
    1. Re:Frequency of change is irrelevant! by jonbryce · · Score: 3, Insightful

      It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually. If you do change passwords, you are trying to hit a moving target. You might get it, you might not, and even if you do, you don't have long before you have to run the attack again.

    2. Re:Frequency of change is irrelevant! by Mutatis+Mutandis · · Score: 2, Insightful

      and even if you do, you don't have long before you have to run the attack again.

      Not really. Because if people need to change their passwords frequently, they tend to go for stupid changes, such as incrementing a suffix number. I could make a pretty good guess of what some passwords on our systems will be a year from now, even though they are nominally changed every 90 days.

    3. Re:Frequency of change is irrelevant! by Geoffrey.landis · · Score: 3, Insightful

      It isn't irrelevant if you change your password during the attack to something the attacker has already tried.

      Nope. Think about it as a statistical thing. There's an equal probability that you'll change your password to something that the cracker is just about to try, as there is to change it to something the cracker hasn't tried yet

      Lets say you change the password after the attacker has made it through half of the keyspace...there is a 50% chance that this new password will never be guessed

      It's easier to think about statistics if you think about large numbers. Suppose the cracker is trying to crack 1 thousand user accounts, and the password change comes when he is one ten thousandth of the way through. Yes, on the average there's some chance that a users will change their password into one that he's already checked (and if they never changed their password again, they'd be immune from getting cracked.) However, to balance that, an equal chance exists that they happen to change their password to one that he's about to try. There's no net change in the statistics of cracking.

      The same statistics work, on the average, whether the cracker is trying to break into one account.

      --
      http://www.geoffreylandis.com
    4. Re:Frequency of change is irrelevant! by legirons · · Score: 4, Insightful

      It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually.

      With password changes, you get the password even quicker, because there are only a very small number of sequences that people can think-up once per month, compared with a larger number of unique passwords that they can think-up just once.

    5. Re:Frequency of change is irrelevant! by nabsltd · · Score: 4, Insightful

      Mod parent up as one of the few who understands how forced password changes are generally bad for security.

      When asked, most system admins do not know what the single security issue that is addressed by forced password changes: limiting the amount of time a compromised password can do damage.

      The problem is that any forced change time that is short enough to do any good with this (like 30 days) would cause users to always pick the most memorable (i.e., least secure) password that meets the requirements. Worse, it's more likely to cause every monitor in your office to have a password-laden sticky-note. If you have a 90-day change time (about the standard), that gives an average of 45 days that a compromised password can do damage, which is way too much.

      Last, forced password changes are still almost certainly nothing but security theater, because once an account is compromised, it's easy to re-compromise it with a keylogger or similar background software.

  7. Required Passord Changes by Archangel+Michael · · Score: 3, Insightful

    Requiring password changes on a regular basis doesn't improve security, it actually lowers it IMHO.

    Whenever I've seen institutions start to require this policy, I explain expect a larger number of people to tape their current password under their keyboards.

    The other option I see people do, is use a password combination like this "MyCurrentPassword!05" where the "05" is the month. So, in a few days from now, the new password will be "MyCurrentPassword!06" and so on. Even if you require 12 unique passwords in 12 month period, they will be cool, and not really change the password.

    The #1 problem with passwords in my opinion, is that most systems have a "remember password" checkbox. That checkbox should be BANNED!

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Required Passord Changes by Anonymous Coward · · Score: 1, Insightful

      The purpose of an onerous password policy is not to improve security but instead to shift the blame for security breaches onto users.

  8. So don't allow password authentication by fishbowl · · Score: 3, Insightful

    Distribute private keys. Enforce a policy where the private keys can be revoked. Use a physical token.
    Make it so the party logging in needs something they know (a private key) and something they don't know (the random number from the key fob).

    It's easier to convince the People In Charge that this is necessary *after* a break-in.

    It's better to simply *be* the Person In Charge and establish the policy, and enforce it.

    Either you're serious about security or you're not.

    One problem is that laypersons don't understand just how simple it is to break password authentication, and don't understand that if their password is a dictionary word or even a misspelling or l33t of a dictionary word, they've probably already been compromised. Going further, they don't consider that maybe the person doing the attack is a competitor or disgruntled former employee who *knows* the names and birthdates of all the spouses and children of the whole sales department.

    Then there are people who won't take IT security seriously until they've lost a defense contract or a faced lawsuit over a leak of proprietary information.

    --
    -fb Everything not expressly forbidden is now mandatory.
  9. WOW, what a GREAT social engineering! by Hurricane78 · · Score: 2, Insightful

    Why work hard to get passwords from the people who are most worried about their security (possibly because they have the most valuable data),
    when you can simply open a site, offer them to "check them for security", and let them input them themselves!

    Why didn't I think of that! Man, what a genius!

    --
    Any sufficiently advanced intelligence is indistinguishable from stupidity.
  10. Re:The same thing that happens with everything els by mysidia · · Score: 2, Insightful

    The username is not the credential. In the design of a secure system, it should be assumed the attacker has (or can find out) all the valid usernames. The administrative usernames that are defined by the implementation (i.e. the 'Administrator' user, the 'root' user are well-known anyways, and in many cases, required to be active by various software products used in a system.)

    The security is in the key (or password), i.e. the secret credential.

    Sending 3 attempts is cheap. Generally there's no need to know if the lockout attempt was a "hit" or not.

    Also, many systems that implement password lockout will notify the attacker of the password lockout, once the account's been locked rather than state "Invalid Password".

    It's foolhardy to place any trust of security in or reliance in difficulty of discovering a username.

  11. Re:hmm... by Tuoqui · · Score: 2, Insightful

    Security Tokens/Smart Cards... Two (or Three) factor authentication is superior to username/password. Something you HAVE + Something you KNOW. If you dont have both then knowing soandso's password is hunter2 wont help you.

    --
    09F911029D74E35BD84156C5635688C0
    +2 Troll is Slashdot's way of saying groupthink is confused