- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Weak Password Testing
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2009 09:37 AM
тАО04-07-2009 09:37 AM
Re: Weak Password Testing
Passwords and password filters let an administrator blame the end-user for the inevitable exposures.
http://labs.hoffmanlabs.com/node/57
http://labs.hoffmanlabs.com/taxonomy/term/112
We know that one or more of our end-users (and occasionally even one of us) will eventually select a bad password, will set up a group-access account, or will expose a password via ftp or telnet, or will write it on a yellow sticky, or will have a laptop (or a server!) with a text file full of passwords (or worse) stolen.
So what are we going to do about it?
Address authentication for your environment (via PKE or token-based authentication or other such), and you'll have a better shot at the desired improvement to your server security. And you'll be less vulnerable to the inevitable password exposures.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2009 10:07 AM
тАО04-07-2009 10:07 AM
Re: Weak Password Testing
Let's say that you ALLOW but do not REQUIRE complex passwords.
OK, for users with "simple" passwords (i.e. PWDMIX flag is not set), you have 26 letters of the alphabet, 10 digits, and it happens that the underscore and dollarsign also work in that context. That's 28 characters.
For mixed passwords, you have 26 upper, 26 lower, 10 digits, and up to 32 punctuation marks, depending on what you allow.
If you have a rule that says 10 characters and any characters are fair game, then the non-mixed case is 28^10 = 6.278E+15. The mixed case is 94^10 = 5.386E+19, or almost 10,000 times as many possibilities.
Admittedly, when you make it a requirement instead of an option, some of those combinations aren't legal any more and the number of possible passwords goes down. At some point the math gets above me. But don't sell complex passwords short.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-07-2009 11:08 AM
тАО04-07-2009 11:08 AM
Re: Weak Password Testing
You've increased the number of possible characters by 94-38=56. Consider going from 10 to 15 character slots:
38**10 = 6278211847988224
38**15 = 497455170514937390661632
....:....1....:....2....:
38**10 = ~6.27E+15
38**15 = ~4.97E+23
38**5 = 79235168
....:....1....:....2....:
So by adding 5 character slots we gain a factor of 7.9E+7. This is approx. 1000 times more than the 10000 you get by implementing the requirement of complex passwords. And that requirement adds a whopping 56 characters to the character set. But users will never pick passwords such as
4#Rh&i0*h@
This rules out the vast majority of the 94^10=5.3E+19 possible passwords with the complex scheme you mentioned.
(And if you required such passwords, is there anyone who wouldn't have to write them down?)
For the case of ULLLLLL##P (almost certainly the most common variation) you get
26**7 * 100 * 32 = 25701792563200 =~ 2.6E+13
which is even less than 38**10. (!)
So it seems to me that the "pain" of 5 extra character slots is a lot less than the pain of multiple character sets and you get a lot more bang for the buck. Yes, you still have to filter out passwords like 1111111111, 0123456789, companyname, etc. But that's already being recommended by other posts and would be common to both complexity and length schemes. I, for one, would much rather have longer, case-insensitive letters plus numbers than shorter case-sensitive letters with numbers and punctuation marks. But that's just me.
Which passwords are you calling "illegal"?
Did you read the references I provided?
AEF
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-10-2009 09:36 AM
тАО04-10-2009 09:36 AM
Re: Weak Password Testing
Some combinations become illegal when you change from ALLOWED to REQUIRED complexity. Any combination that fails complexity then becomes illegal. My math is too rusty to handle that off-handedly.
If you don't want to use alternate characters then don't. Lengthen your passwords. Because I work at a Dept. of Defense site, I wasn't allowed that luxury of choosing alternatives.
Now, the pragmatist pops up within me. You and I BOTH know that what most users will do is choose passwords like JuliaSue-04/20/81 (girl friend's name and birthday) or Tea.4.2.Cha-Cha or something equally not so random. People don't think randomly anyway. To do this really RIGHT, you need to toss in complexity, long passwords, AND randomly generated passwords with a short lifetime. Then you guarantee that someone will write down the password somewhere.
So to a large degree, asking for more password complexity quickly reaches a point of diminishing (security) returns for your effort. It's always a balancing act - unless you work for people who are unbalanced to begin with. Of course, the latter comment should in NO way be construed to refer to my employer, the U.S.Government.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-01-2009 10:28 AM
тАО05-01-2009 10:28 AM
Re: Weak Password Testing
- « Previous
- Next »