[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: Password complexity - improvement (correction)
From:       "James D. Stallard" <james () leafgrove ! com>
Date:       2007-08-17 21:29:33
Message-ID: 031a01c7e115$b44e6d70$6400000a () ad ! leafgrove ! com
[Download RAW message or body]

Sorry for the wordy post, but bear with me...

I have to say that I've really enjoyed the trip down memory lane of
combinations and permutations; perhaps the third thing from my A level maths
class that I've had to use in "real life" (the other two were simultaneous
and quadratic equations!).

However, I think we've drifted off the point here - that being the
construction of a strong password. Dubaisans original question concerned
increasing the complexity of passwords by enforcing all 4 of the properties
of uppercase, lowercase, numbers and special-characters/punctuation.

Sorry Ansgar -59cobalt- Wiechers, your maths is upside down; in your
example, try a password length of 3 and total characters of 2 - you should
get 8 possible passwords, but your formula gives 9. You can prove the
formula simply by counting in binary from 000 to 007, which would be a
password length of 3 using only 2 characters.

The total possible number of passwords for a given password length is
therefore:

C^N

Where C is the number of characters a password can be made up of and N is
the length of the password.

So as an example lets try a password length of 3 and only lower case
characters. The total possible number of passwords to be tried is:

26^3 = 17576

A big number to be sure, but a fast password cracker does 300,000+ tries a
second, so that password is toast in under a second.

Going with both cases and numbers, the total possible number of password is:

(26+26+10)^3 = 238328

A bigger number, but still toast in under a second.

Ok, how about a 4 digit password with the same parameters:

(26+26+10)^4 = 14776336

That one lasted 49 seconds. Still rubbish but it's pretty clear that the
strength of the password is much more strongly related to it's length than
to the number of characters used. Now, the industry standard - both cases
and numbers and 8 digits:

(26+26+10)^8 = 2.183 * (10^14)

A nice big number, and plenty big enough to make all but the most worthwhile
password too hard for the bruteforce cracker - provided of course that the
bruteforce cracker had to be tried because the dictionary attack failed!

All this is entirely irrelevant however as the same GPO provides the ability
to lock a password out. I recommend no less than 5 tries and no more than 5
minutes of lockout time - so long as you're logging it. This will insert a 5
minute break into the cracking process after every fifth try and even the 3
digit password will be safe when you can only average one try per minute.
This protects your domain based passwords (without irritating your users),
but you are still vulnerable if somehow the bad guys get a copy of your
hashes. Thus, we return to the length of the password and common sense
rules:

Enforce >=8 digits on your domain users and >=10 on your local machine users
(see my last post on how to) and be happy with mixed case letters and
numbers alone. If you need really good passwords, go to passphrases of >=15
digits for everything.

Thanks for reading it all, I hope it makes sense.
Cheers

James
James D. Stallard, MIoD
Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard





-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Devin Ganger
Sent: 16 August 2007 19:50
To: Thor (Hammer of God); focus-ms@securityfocus.com
Subject: RE: Password complexity - improvement

Actually, mathematically he's correct, assuming a maximum password size.

For the sake of illustration, let's say I have a maximum password size of 10
characters. Let's also say I have 8 possible symbol characters (I'm picking
8 just because I don't know how many legal symbols there are and it rounds
the numbers off). For any password, I have to have at least one character
from all four of the following sets:

Uppercase letters (26)
Lowercase letters (26)
Numbers (10)
Symbols (8)

The choice of character for at least four of my ten possible positions is
circumscribed, while the other six characters can be from any of the four
sets.

26 x 26 x 10 x 8 x 70 x 70 x 70 x 70 x 70 x 70 = 6,362,457,920,000,000

If I didn't have any complexity requirements at all, I'd be able to choose
from any of the four sets for all 10 characters:

70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 x 70 = 2,824,752,490,000,000,000

That's pretty clearly a reduction in possible passwords of several orders of
magnitude.

HOWEVER -- and this is a big however -- the original poster is suffering
from a logic error (this is what happens when pure mathematics are
untempered by a bit of common sense). The problem is *not* "how big of a
password pool do I have" but rather "how big of a password search pool do I
need to make the attacker have"?

In this case, both the "3 of 4" and "4 of 4" requirements produce exactly
the same size of pool, precisely because the attacker *doesn't* know which
positions will be chosen from which character set -- they have to assume
that any position could be any possible character. Furthermore, by knowing
that the system requires all four character sets, the attacker *cannot* take
a shortcut by relying on the fact that most people are lazy when it comes to
password and will do the bare minimum required of them, and remove one of
the character sets from their search space -- doing so will not gain them a
legitimate password. (How many users in a "3 of 4" setting actually bother
to use all four sets?)

Finally, one of the assumptions I postulated to show the math doesn't meet
the real world either -- if I want a stronger password, I just choose a
longer one. The theoretical maximum length for passwords is truly
outrageous, so a paranoid admin can bump up the minimum password length and
offset any potential "weakness" imposed by requiring all four character sets
to be present.

In short, the OP is looking at the math from the wrong side of things.

--
Devin L. Ganger, Exchange MVP      Email: deving@3sharp.com
3Sharp LLC                         Phone: 425.882.1032 x1011
14700 NE 95th Suite 210             Cell: 425.239.2575
Redmond, WA  98052                   Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Thor (Hammer of God)
Sent: Thursday, August 16, 2007 9:33 AM
To: focus-ms@securityfocus.com
Subject: RE: Password complexity - improvement

Just to follow up, this is incorrect. More possible source characters ==
more possible combinations.  Can you elaborate on what you mean by this?

t

> >
> > Is there a way to enforce all 4 properties.
>
> Enforcing passwords that MUST consist of uppercase letters, lowercase 
> letters, numbers AND special characters reduces the total number of 
> possible passwords, which in consequence has a negative impact on your 
> security.


[prev in list] [next in list] [prev in thread] [next in thread]