Slashdot Mirror

← Back to Stories (view on slashdot.org)

Calculating Password Policy Strength Vs. Cracking

Posted by Soulskill on from the one-two-three-four-five dept.

snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."

16 of 231 comments (clear)

  1. Is this a problem? by khasim · · Score: 4, Insightful

    Most systems have a "three strikes and you're out for 5 minutes". So that kind of makes 65 guesses a minute impossible. You'd have 3 every 5 minutes.

    The solution is not complexity. It is limiting the number of attempts and logging the process and having a HUMAN review the logs on a daily basis.

    1. Re:Is this a problem? by MoonBuggy · · Score: 4, Informative

      Which is still solved by a quick look at the logs. Any account with multiple login attempts from multiple IP addresses in rapid succession should be a huge red flag. Even without human review it's trivial to make the block on the account, not on the party that's trying to log in.

      The real problem is striking a balance between complexity and usability. You don't need a botnet if you can grab the passwords using any number of social engineering techniques, many of which are made much easier when people are pushed into habits like writing their login details on post-it notes.

  2. Of course, its not that simple... by Shados · · Score: 4, Informative

    Some systems will intentionally "lag" you on a failed password attempt, or wait some time before the next guess. So you can't even MAKE 64 guesses a minute.

    Others will lock you out after 3-5 attempts.

    Kind of stops this flat, hmm?

    1. Re:Of course, its not that simple... by Vintermann · · Score: 4, Interesting

      Still don't get it? Ok, I'll try again, with a real world example of how stupid sysadmins can be.

      To get unemployment benefits in Norway, you have to fill out a lot of paperwork every 14 days.
      Fortunately, this can be done online.
      Unfortunately, if some idiot has your username, and tries to guess your password three times, the account locks completely for 30 minutes.

      So there you have it. For three connections every 30 minutes, you can make sure an unemployed Norwegian won't eat the next two weeks. Cute, eh?

      There are denial of service attacks, and there are denial of service attacks. Sometimes you need a botnet of thousands of machines. Sometimes you need one machine, a perl script and insignificant bandwith. The latter is a bit more aggravating.

      --
      xkcd is not in the sudoers file. This incident will be reported.
  3. Yeah right by Brian+Gordon · · Score: 4, Insightful

    With 8 characters you have to make on the order of 10^15 guesses. To go through all of those guesses in 90 days you have to try 783.9 million combinations per second.

    1. Re:Yeah right by Celeste+R · · Score: 4, Insightful

      How many of us use truly random passwords?

      Consider the dictionary attack, combined with numbers, symbols and other words, and it's really not quite so random.

      --
      There are no perfect answers, only the right questions. More questions at http://foresightandhindsight.blogspot.com/
  4. quick slashdot reader test: by LeonN · · Score: 4, Interesting

    break this password 1bbe3bcb8c840c7309d460d8d5b8e709 how long did it take? (used the echo -n "string" | md5sum to get that hash, with ofc another word then string)

    --
    http://freelinuxguides.wikidot.com
    1. Re:quick slashdot reader test: by wjh31 · · Score: 4, Funny

      damn it, i thought being on slashdot was enough to count as a geek, now we have to actually be able to understand encryption?

  5. The focus should be on the account. by khasim · · Score: 4, Insightful

    It doesn't matter where the 3 attempts come from. On the 3rd failure, the account is locked.

    Yes, this does allow for DoS attacks. So what? It's better to have the legitimate owner locked out so that he can call to find out why than it is to have his account cracked.

    1. Re:The focus should be on the account. by mysidia · · Score: 5, Insightful

      What happens when a bot comes out whose sole purpose is to discover all usernames on a system (including the admin users), via dictionary attack, common variations, and lock them all out, by making exactly 3 attempts per account?

      i.e. Hackers whose goal in life is to disrupt access to the system rather than to break in.

  6. Missing part of his formula by DoofusOfDeath · · Score: 5, Insightful

    Did he remember to model the fact that if you make your password requirements sufficiently rigorous....

    (A) People will increase risk by having to write them down, or

    (B) People will try to stop using your system, which is a different but related kind of failure?

  7. The same thing that happens with everything else. by khasim · · Score: 4, Informative

    First off, there should NOT be any indication whether the username was valid or not. It's as simple as that.

    Secondly, the issue really comes down to whether a DoS attack is better/worse than a compromised account.

    I'm on the side that believes compromised accounts are WAY worse than a DoS attack.

  8. Wrong threat by Xenophon+Fenderson, · · Score: 4, Interesting

    You misunderstand the risk. Password complexity policies offer protection in case the password database itself is compromised, when account lockout policies are of no use. The idea is to give everyone enough time to change their password before the attacker is able to decode the database (or authentication caches or packet captures or whatever).

    --
    I'm proud of my Northern Tibetian Heritage
  9. Measuring complexity? by jonaskoelker · · Score: 4, Interesting

    You're right on target.

    The real question one wants to ask: what maximizes the security of security measures?

    For passwords, we want something that's easy to remember and hard to guess. Hard to guess means it has to appear random: it has to be chosen with a large amount of entropy from the set of valid passwords. In other words, it needs to have a high amount of information content.

    "Easy to remember" is at odds with "high information content": the more you have to remember (generally speaking) the harder it is. However, there are mitigating factors.

    One is the rehearsal effect: by training something (repeatedly retrieving your password from memory), you become better at it. This can somewhat mitigate the problem of long, hard-to-remember passwords.

    Another trick is to exploit the way human memory works. It doesn't just store a big array of bytes like a disk does. I conjecture that the more connected a piece of information is to other pieces of information, the easier it is to remember. (the ocw.mit.edu psych 101 tells that this is certainly true for short-term/working memory.)

    A neat trick (recommended by root@myuni) is to come up with a list of words which mean something (say, they're part of a nonsense phrase you made up*), picking the first letters**, adding some punctuation, and using that.

    ** Maybe I'd recommend picking the i'th mod n of word i where len(word i) == n, due to language statistics issues.

    * Say you can remember "Ash nazg durbatuluk, Ash nazg gimbatul, Ash nazg thrakatuluk, Agh burzum-ishi krimpatul" (one ring to {rule,find,bring,bind} them all). Pick as your password AnrAntAglAbi.

    If you don't remember geek poetry, pick a list of people you've had crushes on, ordered chronologically, and capitalize every one you've actually been with.

    Note that your password must contain at least one upper-case letter. If it doesn't, you have bigger things to worry about than the security of your slashdot account :p

    The sticky issue, from a theoretical standpoint, is that you want a password that's very random, but randomness (i.e. entropy) is an attribute of the distribution, not the sample. That means you can't really say that choosing "password" isn't random.

    The practical upshot is that you want to choose passwords that evil people are unlikely to guess, which is dependent on what typical people use as passwords. So, by enforcing "nasty" rules, you force users to select something with at least a little entropy (_which_ upper/digit/punct and where it is). Sadly, it'll be Passwo!1, Passwo!2, Passwo!3, etc.

    An interesting rule: no three consecutive members of the same character class.

  10. Re:Frequency of change is irrelevant! by legirons · · Score: 4, Insightful

    It's not an irrelevant factor. Without any password changes, you are guaranteed to get the password eventually.

    With password changes, you get the password even quicker, because there are only a very small number of sequences that people can think-up once per month, compared with a larger number of unique passwords that they can think-up just once.

  11. Re:Frequency of change is irrelevant! by nabsltd · · Score: 4, Insightful

    Mod parent up as one of the few who understands how forced password changes are generally bad for security.

    When asked, most system admins do not know what the single security issue that is addressed by forced password changes: limiting the amount of time a compromised password can do damage.

    The problem is that any forced change time that is short enough to do any good with this (like 30 days) would cause users to always pick the most memorable (i.e., least secure) password that meets the requirements. Worse, it's more likely to cause every monitor in your office to have a password-laden sticky-note. If you have a 90-day change time (about the standard), that gives an average of 45 days that a compromised password can do damage, which is way too much.

    Last, forced password changes are still almost certainly nothing but security theater, because once an account is compromised, it's easy to re-compromise it with a keylogger or similar background software.