June 25th, 2002, 08:04 PM
Also...changing passwords often is more inportant to focus on than password complexity.
Another problem you will have with very complicated passwords is that they will soon become much more difficult for people to remember, and then that are forced to do something stupid like writing it on the bottom of the keyboard or putting it on a sticky note on the monitor.
June 25th, 2002, 08:16 PM
i wrote this a long time ago. it aint that good but maybe it will help some linux newbies out. (i myself am still a newbie) http://www.antionline.com/showthread...hreadid=219501
June 25th, 2002, 08:49 PM
Originally posted here by jezter6
I've already used l0pht on a bunch of test accounts, but what I'm looking for is actual statistics and data to prove that passwords of certain lenghts and certain character sets will increase the difficulty of cracking the password by x number of hours or something to that effect.
jezter6 - A few years back I found a little DOS utility called Tidave99's Password analyzer. You provide it with a password and it will return information on the strength of the password. It's old, but it might help you a bit. You can still download it HERE
June 25th, 2002, 10:38 PM
Just some FYI. When I do a network security policy on passwords. I force complexity, minimum password size, limited power user accounts and force users to change passwords a set intervals.
The COOKIE TUX lives!!!!
Windows NT crashed,I am the Blue Screen of Death.
No one hears your screams.
July 16th, 2002, 07:47 PM
Well, personally, I would think that the password scheme should be enforced via software. Because look at case #1:
You have the rules set up for you passwords. Pvt. Joe Snuffy doesn't like to have his password so complex, so he uses the password : 'password1' . Well, any average net admin knows that this is one of the most common passwords. Along with others.
Case #2: Again, my buddy Pvt. Joe Snuffy says,"The heck with that crap! I want my password like I want it!", so he sets his password as 'jsnuffy', totally ignoring your rules.
So, you have a dynamic assigned password when the account is created(ZSH3jd4), and then the user changes it when he/she first logs on, and your password setting program has a blacklist of common passwords, and also uses the user info to rule out others such as 'jsnuffy'.
So, you want to definitley also rule out specific words, also due to some words being very easy. That one rule could increase the dictionary form of attack from 1 hours to 29 Days...
There is no spoon, but you yourself that bends...
July 16th, 2002, 07:56 PM
7-14 Charecters (Cap & Lowercase) Must Have 1 Alpha & 1 Special Charecter ?.%@#
July 16th, 2002, 08:04 PM
on a slightly different note, for remote users (vpv) you could use a 2 or 3 factor authentication to gain access (like safeword, alladin, or RSA). This provides a high level of security, and removes the need for employees to have to remember multiple passwords.
Also, when employees pick passwords (this may sound stupid, but you would be suprised that this has happened) remind them not to:
A. write out their password on a postit and stick it to any part of their computer.
B. do not reveal passwords to anyone (be especially wary of people asking for P/Ws on the phone - ie social engineering).
C. users should not check the "remember password" boxes in software login wizards.
D. passwords should be changed every 90 days
I think dictionary audits are a great way to validate that your employees are following your policies. Remember, security policies are a great thing, but if they are not enforced, they become worthless...
freedom is a road seldom traveled by the multitude
freedom aint free
July 16th, 2002, 08:06 PM
do not use any words that are in the dictionary
July 16th, 2002, 11:33 PM
equation on password possibilities. The equation is x^n power with x being the possible number of characters and n being the amount of characters long the password is so if you have a 4 character pure numeric password you have a 10^4 amount of passwords possible or 1000. which makes sense because you have a choice between 0 - 9999. With a word you have a 26^n amount of possibles with n being the length of the word. and if you ad a number to it it changes the equation to 36^n and if you ad a symbol like a * or & then it becomes 46^n. Local password crackers on a fairly new system can handle roughly a 1 - 2 million password tries a minute. Assumeing somone has a password like passw. It'll have 11,881,376 possible passes to get to it so it could take about 5-10 minutes to crack while the password passw1 will have 2,176,782,336 could take about 1.5 days to crack and the password passw*1 will have 435,817,657,216 possible passes could take a shade over 300 days.
Encryption possibilities is 2^n with n being the bit of encryption. 32 bit encryption has 4,294,967,296 possibilites and could take up to 3 days to crack while 64 bit would take years. this figure is local which doesn't account for internet lag, bandiwidth restrictions crappy or high end PC's and is pure brute force and doesn't use methods of eliminating possible keys.
Alternate realities celebrate reality. If you cant handle the reality your in, then you wont be able to handle the one your attempting to escape to.
July 17th, 2002, 09:36 PM
Try checking out http://newag.org/pwg.htm it will give you the estimated times that you are looking for. It is an online tool that will tell you the possible combinations and average time and max time to crack. Hope this helps.
It\'s a long life, until you die