From owner-freebsd-security Wed Sep 18 13:13:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 26D4637B401 for ; Wed, 18 Sep 2002 13:13:37 -0700 (PDT) Received: from web10101.mail.yahoo.com (web10101.mail.yahoo.com [216.136.130.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 9F85443E42 for ; Wed, 18 Sep 2002 13:13:36 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020918201336.17551.qmail@web10101.mail.yahoo.com> Received: from [68.5.49.41] by web10101.mail.yahoo.com via HTTP; Wed, 18 Sep 2002 13:13:36 PDT Date: Wed, 18 Sep 2002 13:13:36 -0700 (PDT) From: twig les Subject: Re: Password Security Policy Question To: Crispin Cowan , Nate Lawson Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3D87C2B5.9000305@wirex.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org While we're on the subject of passwords, I'm considering setting up a semi-dedicated box to do some password cracking at work. Is there a good paper on how to set up some good libraries? I have john the ripper running right now but the default ability to crack passwds isn't very good (I threw it some obvious ones...didn't get them). Also, is there anything involved in this process aside from raw CPU time? For the next time I get to build a box, it'd be good to know. --- Crispin Cowan wrote: > Nate Lawson wrote: > > > At 11:36 AM 9/10/2002 -0500, L. Adrian Griffis > wrote: > > > I am aware of a company that has instituted a > policy that limits a > > > specific character in people's passwords to > being a numeric character. > > This policy, as described, does seem to be a very > bad idea. I can't tell > whether it is because the policy has not been > faithfully described. > > > This is a bad idea. Ross Anderson's group did a > good study on different > > password selection approaches: > > http://www.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf > > Interesting paper. Good to see some solid empirical > study in this > critical area. Some commentary on the conclusions: > > 1. The first folk belief is that users have > difficulty remembering > random passwords. This belief is confirmed. > 2. The second folk belief is that passwords based > on mnemonic phrases > are harder for an attacker to guess than > naively selected > passwords. This belief is confirmed. > 3. The third folk belief is that random passwords > are better than > those based on mnemonic phrases. However, each > appeared to be just > as strong as the other. So this belief is > debunked. > 4. The fourth folk belief is that passwords based > on mnemonic phrases > are harder to remember than naively selected > passwords. However, > each ap- peared to be just as easy to remember > as the other. So > this belief is de- bunked. > 5. The fifth folk belief is that by educating > users to use random > passwords or mnemonic passwords, we can gain a > significant > improvement in security. However, both random > passwords and > mnemonic passwords su ered from a > non-compliance rate of about 10% > (including both too-short passwords and > passwords not chosen > according to the instructions). While this is > better than the 35% > or so of users who choose bad passwords with > only cursory > instruction, it is not really a huge > improvement. The attacker may > have to work three times harder, but in the > absence of password > policy enforcement mechanisms there seems no > way to make the > attacker work a thousand times harder. In > fact, our experimental > group may be about the most compliant a > systems administrator can > expect to get. So this belief appears to be > de- bunked. > > I like most of these conclusions. Confirming most of > the common folk > beliefs is good. #5 is particularly significant: > password policy > enforcement is critical. > > The only one I have trouble with is #3: the study > found passphrase > passwords to be just as strong as random pass > phrases. I submit that > this conclusion is primarily a function of the > strength of the cracking > software employed, and will change. It is unclear > whether the study used > a standard password cracker (Crack, John the Ripper, > etc.) or rolled > their own. But in any case, if we convince all users > to use pass > phrases, then crack software will evolve to attempt > to crack pass > phrases. How hard would it be to encode the first > letter of the popular > quotations from Bartlett's Quotations into a crack > dictionary? > > Disclaimer: none the less, I believe that pass > phrases is the most > cost-effective form of password discipline. Random > is just too hard for > most humans to remember. > > Crispin > > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX > http://wirex.com/~crispin/ > Security Hardened Linux Distribution: > http://immunix.org > Available for purchase: > http://wirex.com/Products/Immunix/purchase.html > > > ATTACHMENT part 2 application/pgp-signature ===== ----------------------------------------------------------- Heavy metal made me do it. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Health - Feel better, live better http://health.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message