Operating System - OpenVMS

Re: Weak Password Testing

 
SOLVED
Go to solution
Hoff
Honored Contributor

Re: Weak Password Testing

Thoughts? Comments?

Passwords and password filters let an administrator blame the end-user for the inevitable exposures.

http://labs.hoffmanlabs.com/node/57
http://labs.hoffmanlabs.com/taxonomy/term/112

We know that one or more of our end-users (and occasionally even one of us) will eventually select a bad password, will set up a group-access account, or will expose a password via ftp or telnet, or will write it on a yellow sticky, or will have a laptop (or a server!) with a text file full of passwords (or worse) stolen.

So what are we going to do about it?

Address authentication for your environment (via PKE or token-based authentication or other such), and you'll have a better shot at the desired improvement to your server security. And you'll be less vulnerable to the inevitable password exposures.


Richard W Hunt
Valued Contributor

Re: Weak Password Testing

The comments about complexity not being productive when compared to length are perhaps misleading?

Let's say that you ALLOW but do not REQUIRE complex passwords.

OK, for users with "simple" passwords (i.e. PWDMIX flag is not set), you have 26 letters of the alphabet, 10 digits, and it happens that the underscore and dollarsign also work in that context. That's 28 characters.

For mixed passwords, you have 26 upper, 26 lower, 10 digits, and up to 32 punctuation marks, depending on what you allow.

If you have a rule that says 10 characters and any characters are fair game, then the non-mixed case is 28^10 = 6.278E+15. The mixed case is 94^10 = 5.386E+19, or almost 10,000 times as many possibilities.

Admittedly, when you make it a requirement instead of an option, some of those combinations aren't legal any more and the number of possible passwords goes down. At some point the math gets above me. But don't sell complex passwords short.
Sr. Systems Janitor
AEFAEF
Advisor

Re: Weak Password Testing


You've increased the number of possible characters by 94-38=56. Consider going from 10 to 15 character slots:

38**10 = 6278211847988224
38**15 = 497455170514937390661632
....:....1....:....2....:

38**10 = ~6.27E+15
38**15 = ~4.97E+23

38**5 = 79235168
....:....1....:....2....:

So by adding 5 character slots we gain a factor of 7.9E+7. This is approx. 1000 times more than the 10000 you get by implementing the requirement of complex passwords. And that requirement adds a whopping 56 characters to the character set. But users will never pick passwords such as

4#Rh&i0*h@

This rules out the vast majority of the 94^10=5.3E+19 possible passwords with the complex scheme you mentioned.

(And if you required such passwords, is there anyone who wouldn't have to write them down?)

For the case of ULLLLLL##P (almost certainly the most common variation) you get

26**7 * 100 * 32 = 25701792563200 =~ 2.6E+13

which is even less than 38**10. (!)

So it seems to me that the "pain" of 5 extra character slots is a lot less than the pain of multiple character sets and you get a lot more bang for the buck. Yes, you still have to filter out passwords like 1111111111, 0123456789, companyname, etc. But that's already being recommended by other posts and would be common to both complexity and length schemes. I, for one, would much rather have longer, case-insensitive letters plus numbers than shorter case-sensitive letters with numbers and punctuation marks. But that's just me.

Which passwords are you calling "illegal"?

Did you read the references I provided?

AEF
Richard W Hunt
Valued Contributor

Re: Weak Password Testing

Doing pure combinatorial analysis, if you have 94 usable characters and a length of 15 characters, you have 94^15 possible passwords. (This excludes blanks, tabs, control characters in general, and the DEL character, or you would have 96 choices.)

Some combinations become illegal when you change from ALLOWED to REQUIRED complexity. Any combination that fails complexity then becomes illegal. My math is too rusty to handle that off-handedly.

If you don't want to use alternate characters then don't. Lengthen your passwords. Because I work at a Dept. of Defense site, I wasn't allowed that luxury of choosing alternatives.

Now, the pragmatist pops up within me. You and I BOTH know that what most users will do is choose passwords like JuliaSue-04/20/81 (girl friend's name and birthday) or Tea.4.2.Cha-Cha or something equally not so random. People don't think randomly anyway. To do this really RIGHT, you need to toss in complexity, long passwords, AND randomly generated passwords with a short lifetime. Then you guarantee that someone will write down the password somewhere.

So to a large degree, asking for more password complexity quickly reaches a point of diminishing (security) returns for your effort. It's always a balancing act - unless you work for people who are unbalanced to begin with. Of course, the latter comment should in NO way be construed to refer to my employer, the U.S.Government.

Sr. Systems Janitor
djk
Advisor

Re: Weak Password Testing

Lots of good discussion.