|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Does restricting partial words weaken passwords?
|
On Wed, Aug 29, 2001 at 01:16:54PM -0400, Dave Turner wrote:
> We discussed on Saturday whether rejecting parts of dictionary words in
> passwords would make less secure passwords.
>
> We assumed that a word fragment had 3 characters.
Hrm. Some words have fewer than that. And are you actually
postulating that disallowing (theoretically) predictable chunks of
characters in a password will make the password *less* secure? (This
is counter-intuitive, but I'm not disagreeing just yet.)
It's worth noting that password checkers commonly thought to be
useful (like the one that ships with npasswd) do check for pieces of
password that match up with words in /usr/dict/words, though not
chunks as you describe to the best of my knowledge, but also look
for things that are basically words with one (or more) character(s)
wrong, things that are words through standard B1FF-speak
substitution, and a variety of other heuristics (go read the source).
So, this leads one to quasi-random password selection, which is
really a pretty good password selection technique as long as it's
not algorithmically based (no matter whether or not the attacker
knows the algorithm). By which I mean that running a strictly
dictionary-based crack on it won't work.
There've been quite a few articles written lately questioning how
useful insistance on strong passwords really is. (I don't recall the
date, but trolling on http://www.infosecuritymag.com/ will turn one
up.) I'm not sure whether I agree or not with everything said, but
it's definitely true that no password will stand up under a
fortnight's brute forcing (perhaps not even bothering with
dictionary attacks) with a cluster of modern computers. Sure, root's
password should still be pretty good, but if you stick to eight
character passwords, you're screwed for sure about two weeks after
somebody gets their hands on your encrypted password file (which
they should already have had to have been root to do... note that if
you're trusting sudo to let marginally trusted users run *any*
complex program, you're basically giving them root access).
What I'm getting around to here is that discussion of strong
passwords is becoming more and more wanking and less and less useful
in this day and age. As soon as someone has their mitts on even your
encrypted list of passwords, you have lost. Period.
Pass*phrases*, on the other hand, are quite important. Oh, and
the same rules apply: passphrases should never be common, English
words and phrases, which provide less than a bit of security per
word. My ssh identity key passphrases are upwards of 20 characters
long and would seem like streams of random gibberish if I were to
show them to you, but they aren't generated pseudo-randomly; rather
they have an internal meaning for me. Which is the point of a secure
passphrase; it needs to be invulnerable to a dictionary or brute
force attack (I don't have numbers here, but shooting for around 20
non-related characters should be pretty decent, more if you're
militarily paranoid), but it also needs to be something you can
remember.
> Chance of password of n characters containing part of a dictionary word:
> 3 = 42.75%
> 4 = 67.22%
> 5 = 81.23%
> 6 = 89.25%
> 7 = 93.85%
> 8 = 96.48%
What math did you use to decide on this? Because if you're just
seeing how many times a given three letter phrase *could* show up
within eight characters, you're definitely missing the larger
picture.
> Word count of dictionary: 263,533 words.
I presume this is Linux's /usr/dict/words? You might be interested
to know that Solaris's is only 25143 words...
--
~ g r @ eclipsed.net
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|