Passwords.. security is in length, not complexity

[Deanster]

Re: Passwords.. security is in length, not complex

I used to be a Gov't employee for an overseas agency, and our 2 secure networks had something like 12-character random passwords, rotated every 60 days.

This naturally more-or-less guaranteed that you had to keep a list of passwords readily to hand (a security violation in itself), as NOBODY could keep track of the newest 12-character random password... I finally just put the passwords in the document safe, which had a complex combination, that fortunately stayed the same.

 

[LukeK]

Re: Passwords.. security is in length, not complex

http://www.winguides.com/security/password.php

I've always used that website. 12 characters with all the options enabled.

 

[KevinL]

Re: Passwords.. security is in length, not complex

Might as well invest in RSA SecurID cards with the automatic key generator which changes the six-digit one-time-password every sixty seconds.... /ubbthreads/images/graemlins/tongue.gif

 

[Cornkid]

Re: Passwords.. security is in length, not complex

Here's a bit of advice! It is NOT hard to hack a password... It really isnt... ALL IT TAKES IS TIME! Change your password frequently.. Within a few weeks you can hack a password above 10 letters/numbers. And it is true that the longer the password is, the harder it is to generate. An easy code used to break passwords works basically by solving letter/number by letter/number.

just a few cents/

-tom

 

[Leeoniya]

Re: Passwords.. security is in length, not complex

well anything that's worth anything usually locks you out or has a timeout for each password/login attempt. say with a 3 second timeout for each attempt. it would be virtually impossible to crack cause it would take friken AGES.

as far as encryption goes, the security is in the RSA algorithm and the reliability of generating very large prime numbers. the length is also a determining factor, but the length affects "one-way math functions" (modulus based math) much more severly than anything that can be brute-forced.

 

[Sub_Umbra]

Re: Passwords.. security is in length, not complex

EDIT: Leeoniya, you are right on the money on the delays. I've got to type faster.

I don't think that length above 12 characters gives any significant advantage if you are using a mature operating system which is set up correctly. (SEE turbodog's post for a good example.)

I thought that some of Robert Hensing's comments in the article that the OP linked to were very typical of the loopy 'security culture' which has been prevalent among MS higher-ups since the very beginning.

When Mr. Hensing makes a statement claiming that 14 character pass-phrases are quick to brute force you must remember two things: First of all, he's not even considering any operating system outside of Microsoft -- they do not exist as far as he is concerned. Secondly, like all of the other big-shots at MS he has yet again revealed that they are only capable of viewing the user as a stumbling, ignorant buffoon incapable of setting up his box securely. (Again, turbodog's elegant solution is far more valuable in the real world than any great wisdom Mr Hensing has to offer in the his article.)

Getting back to the first point. Long pass-phrases are only needed on default installs of Windows. That's who he's talking to in the article. As I said earlier, I usually use a 12 character pass-phrase of mixed cases, with numbers and odd characters thrown in. If Mr Hensing were to try to brute force what he calls my short pass-phrase my OS would allow him three chances to get it right and when he failed a delay of a few seconds would be introduced before he could mount another attempt. This delay would grow slightly longer with each incorrect guess. Mr Hensing and all of his children would be long dead before he could brute force my 12 character pass-phrase. That is the way a mature operating system behaves right out of the box, with a default install.

What Mr Hensing is really saying is that Microsoft would rather inconvenience ALL of it's user base forever by having them type 42 character pass-phrases because they refuse to modernize their code and fix the problems associated with their weak default install. That's right, guys, as far as Mr Hensing is concerned, it's your problem and you're on your own.

In order to sell this Mr Hensing must turn the world upside down and try to convince all of us that all of the crypto experts on Earth are wrong and that the weaknesses in Windows don't really exist if the lazy users can just be convinced to type huge pass-phrases, all of the time.

Mr Hensing's article is not about security, it's about PR. It's cheaper in the short run to massage the problems with their OS than it is to fix them. I think that it is generally a bad practice to get security advice from marketing firms.

 

[idleprocess]

Re: Passwords.. security is in length, not complex

[ QUOTE ]
Sub_Umbra said:
Mr Hensing's article is not about security, it's about PR. It's cheaper in the short run to massage the problems with their OS than it is to fix them. I think that it is generally a bad practice to get security advice from marketing firms.

[/ QUOTE ]

Microsoft tells their new hires "we are a marketing company that happens to make software."

I think that explains a great deal about the company in general.

No good security system should accept passwords input at the frequency and speed that a brute-force/dictionary script works at. A lockdown after X tries, delays on verification/error-haandling, or methods to detect scripting (consistent time between retries far faster than any human could react) are all ways to secure the system.

 

[Leeoniya]

Re: Passwords.. security is in length, not complex

Micro$oft Security is the oxymoron that has stood the test of time.

 

[Finbar]

Re: Passwords.. security is in length, not complex

One time pad.

ƒˆn

 

[Leeoniya]

Re: Passwords.. security is in length, not complex

haha, one time pad. that's a good one. and the middleman with a breifcase handcuffed to his wrist.

the closest real-world one-time pad is PGP, since there is only one private key that will decrypt a public key. granted since it's still based on RSA algorithms, one way math functions are pretty damn secure.

and there are 3 levels of hackers/crackers.

level 1: script kiddies and those intrigued with the concept and willing to probe around but really dont understand anything they are doing and are more of an annoyance by following tutorials.

level2: the person who understands something about what they are doing and has the means and resources to try to break into a system for information.

level3: the professional cracker cryptoanalyst.

there really is no protection against a level 3 person because they will find a way in no matter what security measures are taken, there will always be a weakness and it will be exploited. your problems extend beyond data security if you ever get on a list where a professional is hired to break into your accounts in the first place.

1024-bit RSA/PGP is virtually unfeasable to bruteforce and given that no other security leaks exist (such as an insecure place for the private key storage), even without a timeout/lockout/delay on login counts or pattern detection. it will not be brute forced in any amount of time before which the information being secured loses any any significance.

the point being. security is a very relative term. because if i can't break the lock in a million years, i would think for 2 seconds and spend 30 minutes removing the hinges.

 

[idleprocess]

Re: Passwords.. security is in length, not complex

[ QUOTE ]
Leeoniya said:
the point being. security is a very relative term. because if i can't break the lock in a million years, i would think for 2 seconds and spend 30 minutes removing the hinges.

[/ QUOTE ]

A forgotten point in many a security discussion.

SSL is a real nuisance to crack for a chance at possibly sniffing a few credit card numbers. Without an elegant attack (such as the PRNG failures in a few browsers years back), it's not worth the effort. On the other hand, it was fairly easy to snag the entire CC database on some of the common "discount" e-comerce servers a few years ago and many crooks made off with more money than the average ATM contains.

Many houses in my area feature stout 6-panel doors that are made from solid joined wood. They'll eventually fail with enough hits from a 2-man battering ram, but that's noisy and impractical. On the other hand, narrow windows on either side of the door within easy reach of the inside door handle are amazingly popular...

Modern bank vaults seem to have the concept down right. Modular vault panels are essentially impervious to the methods and tools that the average bank robber/safecracker will have available. The vault door is not as tough as the panels, so it's the natural target ... but it's no cakewalk to get through a vault door even for trained UL technicians with access to far better equipment and materials than safecrackers. Another benefit is that vault doors are repairable and replacable in the event crooks mess it up.

Tangential
I used to work with a guy that did miscellaneous security system service work. There was a grocery store in this one West Texas town that had inherited a unique "ball" safe that they used for cash. This safe was a rough sphere, approximately 4' in diameter - apparently a somewhat common safe for frontier banks in the 1800s. Every other year or so, crooks would break into the warehouse next door to "borrow" a forklift to lift the safe into a truck for the semi-annual cracking attempt. Inevitably, the local police would find the safe - intact - a week or so later and my co-worker would go about repairing it. It would have a few new gouges in it from drills, somewhat rougher edges around the door from attmepts to hammer in a wedge to pry it open, and some additional scorch marks from cutting torches. He wasn't sure what sort of metal it was made from, but it was always intact with the contents still inside. My friend got to keep the utterly ruined tools that were found with the safe once the cops were done with them. He'd have to be careful when disassembling it because no 2 screws were threaded quite alike, but it was easily restored every time.

 

[Finbar]

Re: Passwords.. security is in length, not complex

In theory, the one time pad is unbreakable.

If one were to employ two people with photographic memories, there would be no need for a middleman.

Fin

 

[Leeoniya]

Re: Passwords.. security is in length, not complex

the one time pad is inefficient cause the key and cyphertext are the same length as the plaintext. and you cannot possibly do anything to compress either of them because there is absolutely no pattern that can be found when nothing repeats.

 

[Sub_Umbra]

Re: Passwords.. security is in length, not complex

The coolest use for One Time Pad is as an alternate authentication scheme that you may use for accessing accounts on machines that you may have to use but don't fully trust, like library computers. It's kind of neat. Usually the password shows on the screen as you type it since there is no need to obscure it with asterisks.

It would be quite a bit of overhead to have to use it for every login, though.