RE: Secure Password Policy?

From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Fri Jan 20 2006 - 06:57:31 EST

As with most things, hardware and software changes make old policies
obsolete rather quickly. If you're cracking passwords that have a good
salt (Linux, Novell, some Cisco, the latest windows), you have to brute
force every password. With older windows or current windows with legacy
support, there is no salt so that lends itself well to pre-computed
tables. In that case, the password can be cracked in minutes. One
other thing to throw into the mix is that in a Windows environment the
NTLM hashes (the older ones) are stored in 2 7-carachter groups if the
password is less than 15 characters in length. Because of that, a 14
character password can normally be cracked in under a half-hour.

-----Original Message-----
From: Stephen J. Smoogen [mailto:smooge@gmail.com]
Sent: Thursday, January 19, 2006 1:22 PM
To: Sulaiman, Wilmar
Cc: pen-test@securityfocus.com
Subject: Re: Secure Password Policy?

On 1/19/06, Sulaiman, Wilmar <wsulaiman@siddharta.co.id> wrote:
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is
> either 6 or 8 characters. I guess SANS institute considered a weak
> password if it is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8
characters).
> Is there any documentation to backup it up why the best practice for
> minimum password length is set to 6?
>

It was explained to me a long time ago that the numbers came from how
long it takes to do a bruteforce attack against either a remote Unix
server using DES hash (or doing the bruteforce against the hash
without precompiled tables.) Each extra character increases the time
for cracking exponentially. You would then have a forced password
change time less than that would limit your risk . If the attacker has
the password (and the password has to have a special character some
amount of uppercase and lowercase) you can use the
charts here

http://www.mcgill.ca/ncs/products/security/understandpass/#time

              68 character space
            (8E+06 hashes/sec) (1E+00 hashes/sec)
letters seconds seconds
01 8.5E-06 6.8E+01 [ 1.0 m.]
02 5.8E-04 4.6E+03 [ 77.0 m.]
03 3.9E-01 3.1E+05 [ 3.6 d.]
04 2.7E+00 2.1E+07 [247.5 d.]
05 1.8E+02 1.4E+09 [ 46.1 y.]
06 1.2E+04 9.9E+10 [3.1E+03 y.]
07 8.4E+05 6.7E+12 [2.1E+05 y.]
08 5.7E+07 4.5E+14 [1.4E+07 y.]
09 3.9E+09 3.1E+16 [9.9E+08 y.]
10 2.6E+11 2.1E+18 [6.7E+10 y.]
11 1.8E+13 1.4E+20 [4.6E+12 y.]
12 1.2E+15 9.8E+21 [3.1E+14 y.]


for a nondistributed attack. A distributed attack would be a power of
2 less time. per appropriate number of machines in the distribution.

While it would seem that the time factor for a remote attack is
significantly large at 5 letter password.. one needs to take into
account to items.
Number of hosts that can do the attack [ power of 2 attack]
Number of hosts that the password can be tested against [power of 2
attack]

In a network with large number of hosts running some sort of service
that the password can be tested against you're time for finding a
match is smaller and you can evade very stupid IDS because you can go
slowly.

The brute force attack can be made much more efficient by building a
dictionary of common words, phrases, and adding various common
additions (number 1 at the end, or for l, etc) I do not have numbers
for how much more effective it is.. but I do know it can cut down a
search-time tremendously



--
Stephen J Smoogen.
CSIRT/Linux System Administrator

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------





**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:23 EDT