Re: FW: Secure Password Policy?

From: kindageeky@gmail.com
Date: Sat Jan 21 2006 - 03:59:47 EST

('binary' encoding is not supported, stored as-is) NIST has published guidelines on password strength that the OMB and Homeland Security have apparently pledged support for under FISMA, at least this was what the government guys at the OWASP conference said. In any case check out Appendix A of the document at http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63v6_3_3.pdf .... I strongly encourage you to check out this part of the paper as the assertions made about what makes a password "strong enough" are pretty enlightening.

It all comes down to entropy to protect against a guessing or brute force attack, and length to protect against a dictionary attack. But entropy / randomness drops dramatically when a user CHOOSES their password (making guessing exponentially easier). My suggestion would be to look at the 4 levels of security outlined in the document and equate those to the needs of your environment. Note that levels 3 and 4 both require multi-factor authentication (i.e. passwords are dead for highly sensitive resource protection).

If you think an asset that an account has privileges to is somewhat worth protecting and that passwords are still viable, an (average) entropy of 20-30 bits (with an appropriate lock-out policy, say one minute after 3 wrong attempts) is probably sufficient in terms of guessing attacks. This translates to passwords with a length between 5-8 characters (that also pass a 50,000 word dictionary test and contain capitals, special characters, and numbers). The NIST document has a nice table outlining entropy levels for passwords of various lengths and with various assumptions about password policy; this is not 100% accurate data as the document explains, but is NIST's best estimate on AVERAGE entropy for passwords.

If you are protecting a privileged set of resources / account, you might want to require up to 40 bits of (average) entropy. In practice, 40-bits translates to an 18-20 character pass phrase, assuming the use of at least one capital letter + one or more numbers + one or more special characters (dictionary tests lose their value at this length per the NIST guidelines).

Again, entropy is helping defeat guessing attacks and brute force, but length is your best defense against dictionary attacks ... thus for what I'd consider level 2 security, I'd require 20 characters instead of 18. This should be sufficient to avoid any rainbow table attack in the forseeabe future (or at least within a reasonable lifetime for the password). Note there are rainbow tables in existance that pre-hash anything in the 94-character range (everything you can hit on the keyboard, including space) up to 12 character passwords ... if you're worried about this attack, you proably want to require 14 characters for Level 1 IMHO.

Hope this helps.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT