Slashdot Mirror

← Back to Stories (view on slashdot.org)

Calculating Password Policy Strength Vs. Cracking

Posted by Soulskill on from the one-two-three-four-five dept.

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

14 of 231 comments (clear)

  1. Re:Of course, its not that simple... by Vintermann · · Score: 2, Interesting

    "Others will lock you out after 3-5 attempts."

    Yeah, I know the type. They are for people who are truly paranoid about break-ins, and incredibly unconcerned about denial of service attacks.

    --
    xkcd is not in the sudoers file. This incident will be reported.
  2. quick slashdot reader test: by LeonN · · Score: 4, Interesting

    break this password 1bbe3bcb8c840c7309d460d8d5b8e709 how long did it take? (used the echo -n "string" | md5sum to get that hash, with ofc another word then string)

    --
    http://freelinuxguides.wikidot.com
  3. Our problem by Henry+V+.009 · · Score: 2, Interesting

    The issue that we have to deal with isn't password-guessing so much. It's stupid users responding to emails asking for their passwords. All it takes is for the spammers to ask nicely, and two or three professors immediately give out their password.

  4. Re:Yeah right by RiotingPacifist · · Score: 2, Interesting

    6 lower case + 1 upper case + 1 symbol/num is the norm meaning it only takes roughly 26^8 * 6 (assuming the 6 lower case letters are together) / 2 to crack via brute force
    this gives 6.26481e+11 or 80566 attempts/second for 90 days, which is still tough but much more achievable than assuming your 96^8 guesses are needed

    --
    IranAir Flight 655 never forget!
  5. hmm... by buddyglass · · Score: 2, Interesting

    Does it take into account how many users are going to write down their passwords on a post it note and stick it to their monitor (or something equally risky) if the password policy is any more cumbersome than "8 character minimum with complexity enabled with a 90-day forced change"?

  6. Re:Of course, its not that simple... by Vintermann · · Score: 4, Interesting

    Still don't get it? Ok, I'll try again, with a real world example of how stupid sysadmins can be.

    To get unemployment benefits in Norway, you have to fill out a lot of paperwork every 14 days.
    Fortunately, this can be done online.
    Unfortunately, if some idiot has your username, and tries to guess your password three times, the account locks completely for 30 minutes.

    So there you have it. For three connections every 30 minutes, you can make sure an unemployed Norwegian won't eat the next two weeks. Cute, eh?

    There are denial of service attacks, and there are denial of service attacks. Sometimes you need a botnet of thousands of machines. Sometimes you need one machine, a perl script and insignificant bandwith. The latter is a bit more aggravating.

    --
    xkcd is not in the sudoers file. This incident will be reported.
  7. Wrong threat by Xenophon+Fenderson, · · Score: 4, Interesting

    You misunderstand the risk. Password complexity policies offer protection in case the password database itself is compromised, when account lockout policies are of no use. The idea is to give everyone enough time to change their password before the attacker is able to decode the database (or authentication caches or packet captures or whatever).

    --
    I'm proud of my Northern Tibetian Heritage
  8. Hang on... A little maths: by Techmeology · · Score: 2, Interesting

    So, there are 94 symbols, 8 characters, and 90 days to guess them in. There are 94^8 possible passwords. That's 6.10*10^15 possible passwords. Per day, you'd have to rattle through 6.77*10^13 passwords. 2.82*10^12 passwords an hour. That's 4.70*10^10 passwords a minute. Last time I checked, 47 billion is greater than 65. Granted: passwords are usually stored as cryptographic hashes so there is the possibility, but the total number of password combinations is equivalent to a 53 bit number (log to the base to of 94^8). Most hashes are longer than this, so that's not a go. While it is also true that many users will pick passwords that are easier to guess, administrators should know better, and users should be taught better (practical demonstrations?).

    --
    Excuse for why is your room always messy?
  9. Easy to remember false answers. by Chmcginn · · Score: 2, Interesting
    Which is why I always answer security questions from the perspective of my high school D&D characters.

    So unless the crackers get access to one of the other six people from that group (and assuming they actually remember any of that from almost two decades ago), they can try my real birth place all day long.

    --
    Have you been touched by his noodly appendage?
  10. Measuring complexity? by jonaskoelker · · Score: 4, Interesting

    You're right on target.

    The real question one wants to ask: what maximizes the security of security measures?

    For passwords, we want something that's easy to remember and hard to guess. Hard to guess means it has to appear random: it has to be chosen with a large amount of entropy from the set of valid passwords. In other words, it needs to have a high amount of information content.

    "Easy to remember" is at odds with "high information content": the more you have to remember (generally speaking) the harder it is. However, there are mitigating factors.

    One is the rehearsal effect: by training something (repeatedly retrieving your password from memory), you become better at it. This can somewhat mitigate the problem of long, hard-to-remember passwords.

    Another trick is to exploit the way human memory works. It doesn't just store a big array of bytes like a disk does. I conjecture that the more connected a piece of information is to other pieces of information, the easier it is to remember. (the ocw.mit.edu psych 101 tells that this is certainly true for short-term/working memory.)

    A neat trick (recommended by root@myuni) is to come up with a list of words which mean something (say, they're part of a nonsense phrase you made up*), picking the first letters**, adding some punctuation, and using that.

    ** Maybe I'd recommend picking the i'th mod n of word i where len(word i) == n, due to language statistics issues.

    * Say you can remember "Ash nazg durbatuluk, Ash nazg gimbatul, Ash nazg thrakatuluk, Agh burzum-ishi krimpatul" (one ring to {rule,find,bring,bind} them all). Pick as your password AnrAntAglAbi.

    If you don't remember geek poetry, pick a list of people you've had crushes on, ordered chronologically, and capitalize every one you've actually been with.

    Note that your password must contain at least one upper-case letter. If it doesn't, you have bigger things to worry about than the security of your slashdot account :p

    The sticky issue, from a theoretical standpoint, is that you want a password that's very random, but randomness (i.e. entropy) is an attribute of the distribution, not the sample. That means you can't really say that choosing "password" isn't random.

    The practical upshot is that you want to choose passwords that evil people are unlikely to guess, which is dependent on what typical people use as passwords. So, by enforcing "nasty" rules, you force users to select something with at least a little entropy (_which_ upper/digit/punct and where it is). Sadly, it'll be Passwo!1, Passwo!2, Passwo!3, etc.

    An interesting rule: no three consecutive members of the same character class.

  11. Re:Missing part of his formula by Eil · · Score: 3, Interesting

    Years ago, the Air Force had some pretty ridiculous security policies for its I.T. systems. (And I would expect that they still probably do.) I've written extensively here on Slashdot about them, but one thing that consistently bugged me was the password policy. I can't recall the specifics, but the password had several "conditions" that needed to be satisfied before it would save your password. Among them were things like:

    - Must be mixed-case
    - Must be between 8 and 12 characters in length (or so)
    - Must contain at least 2 symbols (barring a short list of seemingly random exceptions)
    - Must contain at least 1 letter
    - Must not contain a space, tab, or non-keyboard character
    - No part can match a dictionary word or proper name

    I'm not a cryptologist, so I always wondered: wouldn't adding so many restrictions actually make it easier to brute-force passwords? If an attacker knows the unit's password policy, shouldn't that enable them to narrow the search space considerably?

  12. Re:The focus should be on the account. by selven · · Score: 2, Interesting

    Those type of hackers are rare and have less resources. There isn't any point in pure vandalism you see. In any case research has shown that it's not a primary motive.

    Pure destruction without personal gain has its uses. See DOS attacks, pretty much every army in existence, terrorists, blackmailers, etc.

  13. Re:Is this a problem? by sortius_nod · · Score: 1, Interesting

    Unfortunately it's not the gathering of the passwords that hurts the business with things like Confiker.

    I was recently on contract for a large bank doing what they called "lvl 1 support" (tough times and no work calls for tough measures). I bailed after 2 days due to the fact they'd let Confiker take a massive hold on the network. 1500+ servers, every workstation of about 20 000 was infected. The biggest issue was that users were being locked out of their accounts, productivity was at almost 0, and the highest level of support had no idea what they were doing. Supposedly they were fixing the issues, however the servers they "fixed" were ending up reinfected due to them not patching against Confiker straight away.

    Pretty much a lack of decent IT staff (they are currently offshoring all their support staff, with infrastructure staff to be moved later) was to blame for the massive infection. Policies weren't enforced, lower level support staff had close to full administrative access on the servers, and there were no proactive patching cycles. I've seen this before and raised the red flag at previous jobs, unfortunately the calls for greater security and greater responsibility for high level admins has gone unheeded.

    The people controlling IT departments prefer to follow their little management processes rather than actually do anything productive for the company. Taking months if not a year to deploy a critical patch on a server, or ignoring calls for tightened security policies (both digital and social) are the real reason companies fail. What IT managers need to remember is, a decent password policy is a vital portion of a wider solution.

  14. Half that for parallel cracking attempts. by Gazzonyx · · Score: 1, Interesting

    Divide that in half again. You can break an 8 character password in to two 4 character passwords and crack them in parallel. This is why it takes longer to break a 7 character password than an 8 character password.

    --

    If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.