RE: Secure Password Policy?

From: Petr.Kazil@eap.nl
Date: Sun Jan 22 2006 - 05:36:30 EST

• Next message: pagvac: "Re: "Ping scan" through Google"
• Previous message: Aaron: "Re: Tool to make mitm on ssh2"
• In reply to: Lyal Collins: "RE: Secure Password Policy?"
• Next in thread: List Spam: "Re: Secure Password Policy?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> Rainbow tables make password up to around 8 characters easy to crack, if
the
> attacker has the time to pre-compute the tabes. Making rainbow tables
beyond
> 8 is long term planning, and somewhat disk intensive for script-kiddy
level
> attacks.

It is instructive to look at this site:
http://www.loginrecovery.com/

I've used this website as an example in a class I gave, and I exchanged a
few e-mails with the owners of this site. They were very friendly and
explained that they used huge rainbow tables and that they could easily
crack passwords even longer than 14 characters.
I sent in a few test passwords of mine (very simple ones) and they were
all cracked in a minute. This was a sobering experience :-)

There may be more service providers like that, but this was the first one
I found. If you're in deep trouble, then paying 10 GBP for your forgotten
admin password is a good deal.

At our clients I try to defend the current Microsoft policy because IMHO
it's quite safe and reduces the load on the helpdesk:

Length: 8 chars or more
Complexity: enabled
Change: every 90-120 days
Lockout: after 50 (!) attempts - not 5 or 3 like we used to advise

The philosophy is that a lockout is only necessary if someone uses an
automated password guessing tool. The chance of guessing even a simple
password like "Banana01" (seen "in the wild") in 50 guesses is slight. And
having 50 tries once saved the day for me, after I changed my password
late at night and didn't know it anymore in the morning :-)

Greetings, Petr Kazil

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: pagvac: "Re: "Ping scan" through Google"
• Previous message: Aaron: "Re: Tool to make mitm on ssh2"
• In reply to: Lyal Collins: "RE: Secure Password Policy?"
• Next in thread: List Spam: "Re: Secure Password Policy?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:24 EDT