Password Security

[jezter6]

In writing the network security document, we had a section on password security, but it was rather basic.

passwords must be at least 8 characters
must contain 1 number
etc

Does anyone have (or might have seen) a document that defines what exactly a "good" password is? Maybe with some documentation of how long it takes to crack based on length or character set.

[yasho]

it has to contain numbers and capital and small letters too - but this with the erxact : "1 number" is stupid - or so I think

[emrys]

and it has to have a case senstive enviroment along with numbers and non common passwords

[jaguar291]

I recommend using extended characters (û,«,j,¬,Å,ÿ,¼, and etc.) whenever you are allowed to, due to the fact that most password crackers do not included these characters.

[emrys]

o0o0o0o...i had never thought of extended character ...nice one jaguar...u should hang out more in irc.antionline.com

[cyb3rn3tik]

try cracking your own password, then you'll truly see how good it is......use google to determine the most commonly used pswrd crackers, then temporarily download them to test your password, that's what I do...........

[jezter6]

I've already used l0pht on a bunch of test accounts, but what I'm looking for is actual statistics and data to prove that passwords of certain lenghts and certain character sets will increase the difficulty of cracking the password by x number of hours or something to that effect.

[droby10]

without the specifics of the environment or the type of brute-force attack, there's really not much that can be used that is concrete. but, below are some things to consider in your own analysis for a generic standard for password strength measuring:


the root variable in such a statistic is the average number of attempts per second. this variable is composed of several other smaller factors including but not limited to the locale of the requestor in comparison to the authorizing host, and the method or level of access and comparison.

for instance:

in scenario A, you have a remote brute-force attack (let's say it's 56K dialup), where passwords are provided to the formal authentication mechanism over the network.

in scenario B, you have encrypted or hashed passwords in a local and accessible file.

obviously there are a number of other scenarios, but it should be noted the rate of scenario A would be much slower than scenario B. even if scenario A was local - it would still be slower than scenario B.

given the volatile nature of the variable with respect to presentation overhead, server performance, network load, logging practices, etc; i usually represent the variable as just an unknown and solve for everything else - which is the easy part.

if we're solving passwords instead of hashes, then given a charset of numeric, upper and lower-case alpha, period (.), and underscore (_) [64 chars], the total possible permutations for a password of a given length (n) is simply:

64^n
(exponential, not xor)

the maximum time required would be that value divided by our unknown rate.

so for a rate of 1000 attempts/second on a password of 6 characters in length, bound to a charset of 76 possible values, the maximum time would be estimated to be:

(76^6)/1000 = ~6 years.

you may think that's a long time - but this is a straight-lined analysis, and doesn't take into account any distribution of the attack, nor any reasonable omissions in permutation ranges deduced through response time valuations or other means of elimination.

holding everything else constant, if the password were only 6 characters. then the maximum timetable reduces to about 29 days.

these figures are not implied to be accurate values for advanced cracking applications, for the number of reasons listed throughout. but they do provide a base value to which you can compare and contrast password characteristics. hope it helps.

[roswell1329]

I don't know if this is exactly on track with the original question, but here's a pretty good password creating scheme that I suggest to most people:

1) Think of a non-sensical phrase of 8 or more words such as "My Dog Skip Just Became An AntiOnline Member"
2) Take the first letter of each word (mdsjbaam)
3) convert letters to numbers or symbols that look like them wherever possible (md$j844m)
4) Use a capitalization scheme like first and last letter (Md$j844M)

"Md$j844M", is an excellent password by most standards (contains a mix of upper/lower case letters, contains symbols, numbers, and alpha characters, and is the standard maximum of 8 characters long), and the phrase makes it somewhat easy to remember. You could make the password longer (most systems with an 8-character max ignore any characters after 8, so your password could be much longer).

Good password choice is a vitally important part of system security that most people ignore. How many times have we all seen 'password' as someone's password? Ugh.

[iNViCTuS]

Although having a more "complex" password may take some extra time to crack...what the hell is ultimately the difference between a password someone can crack in 2 mins or 2 weeks. If they are able to get to that point, they will get your password either way.

The only real way is to make the authentication schemes more complex, for example one-time passwords, or token authentication, etc. Or eliminate passwords where possible with the use of digital certificates.

Another thing virtually anyone can do is to limit exposure from cracked passwords. For example, how many of you use the same password for most (if not all) online accounts and/or local system accounts. Well make sure they are not the same if possible, therefore if someone does crack your password, they will still only have access to a limited number of things. That way it will not be entirely devastating. It is much more difficult to find and crack 5 different 8 character passwords than it is to crack a single 20 character password.

But again, where possible eliminate static passwords, or eliminate passwords alltogether for the best result.