From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Fri Jan 20 2006 - 21:16:15 EST
Just to chime in (not necessarily in response to your post Mike, just using
this as my response entry)
There really isn't a "best practice" to password length in generic terms.
Without a corresponding protocol and authentication model, there isn't much
value in assigning some arbitrary length to a password. Generally, the
longer the better, but it all depends on how the password is being stored
and/or transmitted.
Passwords sent via SMTP, POP3, HTTP (basic), etc can be any length and it
won't matter as they are transmitted in the clear (HTTP basic being Base64).
Passwords stored or sent in LM can be up to 14 characters, but the password
is stored as two independent 7 character hashes. (Someone posted about 8 and
13-- you were close ;) LM hashes are cracked in seconds. But the same
password authenticated on the wire via NTLM is far more secure.
If one gets access to the SAM on Windows box, then the password hash is
stored in both LM and NTLM for compatibility reasons. This can be turned
off via registry (or by having a password > 14 characters in Win2k+) but if
you don't do that and someone has access to an unencrypted SAM, they can
attack with LM cracks.
Then again, even with a 14 character NTLM password, rainbow table attacks
(or brute force attacks with the right equipment) can be successful in very
short periods of time. By contrast, a 6 character password authenticated
over NTLMv2 cannot be cracked via rainbow tables as domain/user information
is used during the negotiation as opposed to the password hash in
singularity.
I used to go for "complex" passwords and such, but for the last several
years (ever since Win2k allowed you to have 128 char pwd) I've gone for
simple, but long passphrases. As stated earlier, in general, the longer the
better. Some people think that "1*&ZdhfA" is secure, and it can be in the
right model, but user's won't remember that. Something like "I hate my boss
and want him to burst into flames" is much better, and about impossible to
crack with current methods (unless sent unsecured over the network.)
So, in short, "it all depends." ;)
t
-----
"I'll see your Llama and up you a Badger."
John T
----- Original Message -----
From: "Mike Harlan" <mike@spacedata.biz>
To: <pen-test@securityfocus.com>
Sent: Thursday, January 19, 2006 10:06 AM
Subject: FW: Secure Password Policy?
>
> I believe that the 6-8 rule is in place because it would take an extremely
> long time (or lucky guess) to crack the password at this length.
> Especially
> when used with the other recommended practices (uppercase, lowercase,
> special characters, numbers). Also, remember that we have to put forth as
> much effort to protect our info as we think that it is worth to us or our
> customers.
>
> -----Original Message-----
> From: Sulaiman, Wilmar [mailto:wsulaiman@siddharta.co.id]
> Sent: Thursday, January 19, 2006 5:12 AM
> To: pen-test@securityfocus.com
> Subject: Secure Password Policy?
>
> Dear all,
>
> I noticed that "best practice" for Minimum password length policy is
> either
> 6 or 8 characters. I guess SANS institute considered a weak password if it
> is less than 8 characters.
>
> I would like to know where they derived the number (6 and 8 characters).
> Is there any documentation to backup it up why the best practice for
> minimum
> password length is set to 6?
>
> Wilmar Sulaiman
> Risk Advisory Services
> KPMG Siddharta Siddharta & Widjaja
> 32nd Floor, GKBI Building
> 28, Jl. Jend. Sudirman
> Jakarta 10210, Indonesia
> J : +62 (0) 21 574 2333
> Fax : +62 (0) 21 574 1777
>
> **********************************************************************
> The information in this e-mail is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this e-mail
> by anyone else is unauthorized. If you have received this communication in
> error, please address with the subject heading "Received in error," send
> to
> postmaster@siddharta.co.id, then delete the e-mail and destroy any copies
> of
> it. If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken in reliance on it, is prohibited and may
> be
> unlawful. Any opinions or advice contained in this e-mail are subject to
> the
> terms and conditions expressed in the governing Siddharta Siddharta &
> Widjaja/PT Siddharta Consulting client engagement letter. Opinions,
> conclusions and other information in this e-mail and any attachments that
> do
> not relate to the official business of the firm are neither given nor
> endorsed by it.
>
> Siddharta Siddharta & Widjaja/PT Siddharta Consulting cannot guarantee
> that
> e-mail communications are secure or error-free, as information could be
> intercepted, corrupted, amended, lost, destroyed, arrive late or
> incomplete,
> or contain viruses.
>
> Siddharta Siddharta & Widjaja - Registered Public Accountants, registered
> in
> Indonesia, is a member firm of KPMG International. PT Siddharta
> Consulting,
> a limited liability company registered in Indonesia, is a member firm of
> KPMG International. KPMG International is a Swiss cooperative of which all
> KPMG firms are members. KPMG International provides no professional
> services
> to clients. Each member firm is a separate and independent legal entity
> and
> each describes itself as such.
>
> This footnote also confirms that this e-mail message has been swept by
> MIMEsweeper for the presence of computer viruses. See www.mimesweeper.com
> for more information.
> **********************************************************************
>
>
> ----------------------------------------------------------------------------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities to SQL injection, Cross site scripting and other web
> attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------------
> ---
>
>
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:24 EDT