Password Security

Printable View

June 14th, 2002, 03:40 PM
jezter6

Password Security

In writing the network security document, we had a section on password security, but it was rather basic.

passwords must be at least 8 characters
must contain 1 number
etc

Does anyone have (or might have seen) a document that defines what exactly a "good" password is? Maybe with some documentation of how long it takes to crack based on length or character set.
June 14th, 2002, 03:47 PM
yasho

it has to contain numbers and capital and small letters too - but this with the erxact : "1 number" is stupid - or so I think ;)
June 14th, 2002, 03:51 PM
emrys

and it has to have a case senstive enviroment along with numbers and non common passwords
June 14th, 2002, 04:05 PM
jaguar291

I recommend using extended characters (û,«,j,¬,Å,ÿ,¼, and etc.) whenever you are allowed to, due to the fact that most password crackers do not included these characters.
June 14th, 2002, 04:09 PM
emrys

o0o0o0o...i had never thought of extended character :)...nice one jaguar...u should hang out more in irc.antionline.com
June 14th, 2002, 04:10 PM
cyb3rn3tik

try cracking your own password, then you'll truly see how good it is......use google to determine the most commonly used pswrd crackers, then temporarily download them to test your password, that's what I do...........
June 14th, 2002, 04:23 PM
jezter6

I've already used l0pht on a bunch of test accounts, but what I'm looking for is actual statistics and data to prove that passwords of certain lenghts and certain character sets will increase the difficulty of cracking the password by x number of hours or something to that effect.
June 21st, 2002, 05:50 PM
droby10

without the specifics of the environment or the type of brute-force attack, there's really not much that can be used that is concrete. but, below are some things to consider in your own analysis for a generic standard for password strength measuring:

the root variable in such a statistic is the average number of attempts per second. this variable is composed of several other smaller factors including but not limited to the locale of the requestor in comparison to the authorizing host, and the method or level of access and comparison.

for instance:

in scenario A, you have a remote brute-force attack (let's say it's 56K dialup), where passwords are provided to the formal authentication mechanism over the network.

in scenario B, you have encrypted or hashed passwords in a local and accessible file.

obviously there are a number of other scenarios, but it should be noted the rate of scenario A would be much slower than scenario B. even if scenario A was local - it would still be slower than scenario B.

given the volatile nature of the variable with respect to presentation overhead, server performance, network load, logging practices, etc; i usually represent the variable as just an unknown and solve for everything else - which is the easy part.

if we're solving passwords instead of hashes, then given a charset of numeric, upper and lower-case alpha, period (.), and underscore (_) [64 chars], the total possible permutations for a password of a given length (n) is simply:

64^n
(exponential, not xor)

the maximum time required would be that value divided by our unknown rate.

so for a rate of 1000 attempts/second on a password of 6 characters in length, bound to a charset of 76 possible values, the maximum time would be estimated to be:

(76^6)/1000 = ~6 years.

you may think that's a long time - but this is a straight-lined analysis, and doesn't take into account any distribution of the attack, nor any reasonable omissions in permutation ranges deduced through response time valuations or other means of elimination.

holding everything else constant, if the password were only 6 characters. then the maximum timetable reduces to about 29 days.

these figures are not implied to be accurate values for advanced cracking applications, for the number of reasons listed throughout. but they do provide a base value to which you can compare and contrast password characteristics. hope it helps.
June 21st, 2002, 06:27 PM
roswell1329

I don't know if this is exactly on track with the original question, but here's a pretty good password creating scheme that I suggest to most people:

1) Think of a non-sensical phrase of 8 or more words such as "My Dog Skip Just Became An AntiOnline Member"
2) Take the first letter of each word (mdsjbaam)
3) convert letters to numbers or symbols that look like them wherever possible (md$j844m)
4) Use a capitalization scheme like first and last letter (Md$j844M)

"Md$j844M", is an excellent password by most standards (contains a mix of upper/lower case letters, contains symbols, numbers, and alpha characters, and is the standard maximum of 8 characters long), and the phrase makes it somewhat easy to remember. You could make the password longer (most systems with an 8-character max ignore any characters after 8, so your password could be much longer).

Good password choice is a vitally important part of system security that most people ignore. How many times have we all seen 'password' as someone's password? Ugh.
June 25th, 2002, 08:01 PM
iNViCTuS

Although having a more "complex" password may take some extra time to crack...what the hell is ultimately the difference between a password someone can crack in 2 mins or 2 weeks. If they are able to get to that point, they will get your password either way.

The only real way is to make the authentication schemes more complex, for example one-time passwords, or token authentication, etc. Or eliminate passwords where possible with the use of digital certificates.

Another thing virtually anyone can do is to limit exposure from cracked passwords. For example, how many of you use the same password for most (if not all) online accounts and/or local system accounts. Well make sure they are not the same if possible, therefore if someone does crack your password, they will still only have access to a limited number of things. That way it will not be entirely devastating. It is much more difficult to find and crack 5 different 8 character passwords than it is to crack a single 20 character password.

But again, where possible eliminate static passwords, or eliminate passwords alltogether for the best result.
June 25th, 2002, 08:04 PM
iNViCTuS

Also...changing passwords often is more inportant to focus on than password complexity.

Another problem you will have with very complicated passwords is that they will soon become much more difficult for people to remember, and then that are forced to do something stupid like writing it on the bottom of the keyboard or putting it on a sticky note on the monitor.
June 25th, 2002, 08:16 PM
5150

i wrote this a long time ago. it aint that good but maybe it will help some linux newbies out. (i myself am still a newbie) http://www.antionline.com/showthread...hreadid=219501
June 25th, 2002, 08:49 PM
DjM

Quote:

Originally posted here by jezter6
I've already used l0pht on a bunch of test accounts, but what I'm looking for is actual statistics and data to prove that passwords of certain lenghts and certain character sets will increase the difficulty of cracking the password by x number of hours or something to that effect.

jezter6 - A few years back I found a little DOS utility called Tidave99's Password analyzer. You provide it with a password and it will return information on the strength of the password. It's old, but it might help you a bit. You can still download it HERE

Cheers:
June 25th, 2002, 10:38 PM
{P²P}Apocalypse

Just some FYI. When I do a network security policy on passwords. I force complexity, minimum password size, limited power user accounts and force users to change passwords a set intervals.
July 16th, 2002, 07:47 PM
DukArchon

Well, personally, I would think that the password scheme should be enforced via software. Because look at case #1:

You have the rules set up for you passwords. Pvt. Joe Snuffy doesn't like to have his password so complex, so he uses the password : 'password1' . Well, any average net admin knows that this is one of the most common passwords. Along with others.

Case #2: Again, my buddy Pvt. Joe Snuffy says,"The heck with that crap! I want my password like I want it!", so he sets his password as 'jsnuffy', totally ignoring your rules.

So, you have a dynamic assigned password when the account is created(ZSH3jd4), and then the user changes it when he/she first logs on, and your password setting program has a blacklist of common passwords, and also uses the user info to rule out others such as 'jsnuffy'.

So, you want to definitley also rule out specific words, also due to some words being very easy. That one rule could increase the dictionary form of attack from 1 hours to 29 Days...
July 16th, 2002, 07:56 PM
Joey_Batch_File

7-14 Charecters (Cap & Lowercase) Must Have 1 Alpha & 1 Special Charecter ?.%@#
July 16th, 2002, 08:04 PM
bombayofpigs

on a slightly different note, for remote users (vpv) you could use a 2 or 3 factor authentication to gain access (like safeword, alladin, or RSA). This provides a high level of security, and removes the need for employees to have to remember multiple passwords.

Also, when employees pick passwords (this may sound stupid, but you would be suprised that this has happened) remind them not to:

A. write out their password on a postit and stick it to any part of their computer.

B. do not reveal passwords to anyone (be especially wary of people asking for P/Ws on the phone - ie social engineering).

C. users should not check the "remember password" boxes in software login wizards.

D. passwords should be changed every 90 days

I think dictionary audits are a great way to validate that your employees are following your policies. Remember, security policies are a great thing, but if they are not enforced, they become worthless...

Good luck!
July 16th, 2002, 08:06 PM
AngryBob

do not use any words that are in the dictionary
July 16th, 2002, 11:33 PM
zepherin

equation on password possibilities. The equation is x^n power with x being the possible number of characters and n being the amount of characters long the password is so if you have a 4 character pure numeric password you have a 10^4 amount of passwords possible or 1000. which makes sense because you have a choice between 0 - 9999. With a word you have a 26^n amount of possibles with n being the length of the word. and if you ad a number to it it changes the equation to 36^n and if you ad a symbol like a * or & then it becomes 46^n. Local password crackers on a fairly new system can handle roughly a 1 - 2 million password tries a minute. Assumeing somone has a password like passw. It'll have 11,881,376 possible passes to get to it so it could take about 5-10 minutes to crack while the password passw1 will have 2,176,782,336 could take about 1.5 days to crack and the password passw*1 will have 435,817,657,216 possible passes could take a shade over 300 days.
Encryption possibilities is 2^n with n being the bit of encryption. 32 bit encryption has 4,294,967,296 possibilites and could take up to 3 days to crack while 64 bit would take years. this figure is local which doesn't account for internet lag, bandiwidth restrictions crappy or high end PC's and is pure brute force and doesn't use methods of eliminating possible keys.
July 17th, 2002, 09:36 PM
dAggressor

Jezter6,

Try checking out http://newag.org/pwg.htm it will give you the estimated times that you are looking for. It is an online tool that will tell you the possible combinations and average time and max time to crack. Hope this helps.

dAggressor
July 26th, 2002, 09:34 AM
goldenmessiah

And let's not forget....

The password is only HALF of the security in use! Usernames form the other half. If usernames are easily guessed, or given away, then that is half the battle won for a potential intruder.

I agree with other posters that passwords should comprise ANY character available! Extended, Capital and numeric. Setting weak passwords only encourages intruders, and when they break ONE, they will probably attempt more, based on the ease of breaking the first.

There are several good tools that you can use to evaluate password strength, and most have already been mentioned here. Make your passwords hard, change them regularly, and most importantly, harden your network. If your security posture is open to attack, don't stop to ask "Why Me?" when you get hit. OK, you have a firewall! But is it configured correctly? What about your perimeter router? Access Lists?

sorry for the rant! ;-)
July 26th, 2002, 10:00 AM
SirDice

Quote:

Originally posted here by zepherin
equation on password possibilities. The equation is x^n power with x being the possible number of characters and n being the amount of characters long the password is so if you have a 4 character pure numeric password you have a 10^4 amount of passwords possible or 1000. which makes sense because you have a choice between 0 - 9999. With a word you have a 26^n amount of possibles with n being the length of the word. and if you ad a number to it it changes the equation to 36^n and if you ad a symbol like a * or & then it becomes 46^n.

Almost correct. If you have a maximum of 4 characters 0..9 you can have:

1 empty password
10 1 character passwords
100 2 character passwords
1000 3 character passwords
10000 4 character passwords.

Giving a total of 11111 passwords.

To put it in a formula (to prove the strength) i use this one:

S= (B^(L+1) -1) / B-1 where B is the number of different characters (A..Z => B=26), L is the maximum password length, S will give you the total amount of possible passwords.

If you have a minimal amount of characters (say characters 0..9 min. 3 max. 6)

Calculate Smax with B=10 and L=6.
Calculate Smin with B=10 and L=3. Subtract Smin from Smax.

Divide S by the tries/second (L0pht will do 1000000 tries/second on a 500MHz machine) and you'll know how long it takes for all the passwords to be bruteforced. The mean time for a cracked password will be half this time.
July 26th, 2002, 12:32 PM
Nizead

In a similar vein to roswell, I make up words. For example - plypchimion blurhrymony might become p17PcH1m10N6LurHr7M0ny or something like that. Basically any assemblage of 'sounds' converted to caps and numbers.
July 31st, 2003, 01:45 AM
spetard

I do security testing, in an average enviroment a strong password ( 14+ chrs upper & lower case alpha numeric with special chrs) can be cracked by simple progs like l0pht & john in 39 days. you want to set you password max age to a max of 30, and the min age to a min of 2 with the last 12 -15 passwords remembered. this will help to increse security, oh and make the at lease 8 chrs not 6
July 31st, 2003, 04:40 AM
PM8228

Quote:

Originally posted here by roswell1329
I don't know if this is exactly on track with the original question, but here's a pretty good password creating scheme that I suggest to most people:

1) Think of a non-sensical phrase of 8 or more words such as "My Dog Skip Just Became An AntiOnline Member"
2) Take the first letter of each word (mdsjbaam)
3) convert letters to numbers or symbols that look like them wherever possible (md$j844m)
4) Use a capitalization scheme like first and last letter (Md$j844M)

"Md$j844M", is an excellent password by most standards (contains a mix of upper/lower case letters, contains symbols, numbers, and alpha characters, and is the standard maximum of 8 characters long), and the phrase makes it somewhat easy to remember. You could make the password longer (most systems with an 8-character max ignore any characters after 8, so your password could be much longer).

Good password choice is a vitally important part of system security that most people ignore. How many times have we all seen 'password' as someone's password? Ugh.

I agree however, I believe the length should be something at least 9 characters, and go with everything you said above. Another security risk is shoulder serfing. I am still in high school, but if you walk past the office there is a clear glass window, and anybody could shoulder serf all day.
I believe that on some crackers/auditors such as L0pht, you can check for letter/symbol substitution, but I am not 100% sure about it.