From: Anders Thulin (Anders.Thulin@tietoenator.com)
Date: Fri Jan 20 2006 - 04:03:02 EST
Sulaiman, Wilmar [mailto:wsulaiman@siddharta.co.id] asked
> I noticed that "best practice" for Minimum password length
> policy is either 6 or 8 characters. I guess SANS institute
> considered a weak password if it is less than 8 characters.
Isn't there an explanation of those magic numbers somewhere
nearby, or an assumption about how the passwords are selected,
or the login situation? If not, the author should probably be
considered suspect.
> Is there any documentation to backup it up why the best
> practice for minimum password length is set to 6?
Pick a log-in service you're interested in. Say FTP.
Pick a login-testing program, such as THC Hydra, and set
it up to talk to the FTP service. Feed a big password list do it,
so that it keeps working for a reasonable time.
How many password guesses can it do per second, with
various tweaks (I have an old figure of 120 attempts per
second, sustained. But this was more than 12 months ago,
and for another program on a loopback connection. Find
out *your* guessing rate.)
Next, how long will it take, worst case, before this guessing
is discovered, and actually stopped, for instance by blocking
your IP in the firewall? An hour? A day? A week? (Say 14 days -
IT department is off on very long Xmas vacation, or whoever
is responsible for reading security logs gets his hands full with
more pressing work, but after 14 days log space will be full, and
system will halt...).
14 days * 120 attempts / second make approx 150Mattempts.
You want a password that resists that many guesses with a decent
probability margin -- as you don't know the order in which the
guesses will be made.
Assuming A-Za-z0-9 (62 character) truly random password,
length 5 gives about 10% chance for a crack in 14 days, length
6 0.3% and so on. I'm not sure what to go for here, but I'd try
to get below 0.01%, at least.
As should be obvious, the most important security measure in
this kind of situation is to limit the guessing rate. I'd say
100 guesses per hour is acceptable, except perhaps in high-security
installations. 14 days * 100 attempts / hour make approx
34kattempts. Much nicer. A length 6 password is now quite difficult
to guess in the stipulated time, even without special characters.
Still, it doesn't mean much unless passwords are truly random.
Users tend to find the password of least effort -- and those are
often easy to guess. I've seen 'Volvo-V70' (or very close relatives)
as a password more often than I care to remember -- but it is long,
has both upper and lower case letters, digits and even a special character.
It is still probably among the first 100000 passwords to be guessed
in an attack (locally). So length 6 = 0.3% is rather optimistic ...
passwords won't be random unless you ensure it in some way.
I don't know any password length calculations that tries to take 'easy
passwords' into account. The only way I know to estimate if a password
is 'easily guessed' is to let John the Ripper generate passwords ... if the
password is in the first million produced or so, it's probably easily guessed.
Anders Thulin anders.thulin@tietoenator.com 040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT