Bedroc
asked on
What are good password rules and length-reqs? Password cracking software?
We are using soft certificates stored as pkcs#12 tokens. The only security to protect them is a password. Further it is not possible to revoke/abort after i.e 3 password attempts. The certificates has a lifespan of one year.
We need to better understand how to help users choose a good password, and would need a tool to understand how easy it is to crack a password. Are there any good literature ( preferably on the net ) on this? Any source for password crack tools so we can evaluate our rules against these.
What are your thoughts and recomendations on this?
We fully understand the risk virus and trojans pose to a system like this, so no need to discuss that here.
We need to better understand how to help users choose a good password, and would need a tool to understand how easy it is to crack a password. Are there any good literature ( preferably on the net ) on this? Any source for password crack tools so we can evaluate our rules against these.
What are your thoughts and recomendations on this?
We fully understand the risk virus and trojans pose to a system like this, so no need to discuss that here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are basically two ways to crack a password:
* Dictionary search
* Brute force search
In a dictionary search you assume that the users have choosen passwords that can be found in a common dictionary. If you combine lets say the 20 000 most common (short) words, 5 000 most common person names (and variants of common names) and 5 000 names of places you get a good crack dictionary. These dictionaries can be downloaded from the net.
In a brute force search the attacker just generates all possible combinations.
The key to making a password hard to guess is making sure that the attacker must guess many times before he has tried every possible password.
Lets assume that each guess takes one time unit(=tu).
A dictionary attack with a 30 000 word dictionary takes 20 000 tu.
A brute force attack takes (number of unique signs in the alfabet) ^ (number of characters in the password)
Example: A password that only contains lowercase letters has 26 unique signs in its alfabet. If the password is six characters longs the total time is 26^6= 309 *10^6 tu. This password is about 10 000 times stronger than the password that could be found by the dictionary cracker.
In order to improve the strength of password you can either increase the minimum length of the password or increase the number of unique signs in the alfabet.
Example: Lets assume that the password consisted of not only lowercase letters but also uppercase letters and the numbers 0-9. This results in a password strength of 62^6 = 56.8 * 10^9 which is about 184 times stronger.
Example: Lets assume that the passord length is eight insted of six. 26^8= 208 * 10^9 which is about 676 times stronger.
The main problem of creating a good password policy os to balance the need to have strong passwords against the users need to have easy to remember passwords. If you don't manage to explain to the users how to choose good passwords and why they will obey the letter of the rule but find some way to create passwords that are legal, but easy to remember and therefor to guess.
Example: In many security policies dictionary words are forbidden as passwords. The policy might also include a rule that says that the password must contain at least one digit. As people likes passwords that are easy to remember they combine a word with a single digit either before or after the word. This creates passwords that are very easy to crack. Just expand your dictionary. It will be a bit larger ( a 30 000 word dictionary swells to 630 000), but still managble if you compare it with the brute force approach.
* Dictionary search
* Brute force search
In a dictionary search you assume that the users have choosen passwords that can be found in a common dictionary. If you combine lets say the 20 000 most common (short) words, 5 000 most common person names (and variants of common names) and 5 000 names of places you get a good crack dictionary. These dictionaries can be downloaded from the net.
In a brute force search the attacker just generates all possible combinations.
The key to making a password hard to guess is making sure that the attacker must guess many times before he has tried every possible password.
Lets assume that each guess takes one time unit(=tu).
A dictionary attack with a 30 000 word dictionary takes 20 000 tu.
A brute force attack takes (number of unique signs in the alfabet) ^ (number of characters in the password)
Example: A password that only contains lowercase letters has 26 unique signs in its alfabet. If the password is six characters longs the total time is 26^6= 309 *10^6 tu. This password is about 10 000 times stronger than the password that could be found by the dictionary cracker.
In order to improve the strength of password you can either increase the minimum length of the password or increase the number of unique signs in the alfabet.
Example: Lets assume that the password consisted of not only lowercase letters but also uppercase letters and the numbers 0-9. This results in a password strength of 62^6 = 56.8 * 10^9 which is about 184 times stronger.
Example: Lets assume that the passord length is eight insted of six. 26^8= 208 * 10^9 which is about 676 times stronger.
The main problem of creating a good password policy os to balance the need to have strong passwords against the users need to have easy to remember passwords. If you don't manage to explain to the users how to choose good passwords and why they will obey the letter of the rule but find some way to create passwords that are legal, but easy to remember and therefor to guess.
Example: In many security policies dictionary words are forbidden as passwords. The policy might also include a rule that says that the password must contain at least one digit. As people likes passwords that are easy to remember they combine a word with a single digit either before or after the word. This creates passwords that are very easy to crack. Just expand your dictionary. It will be a bit larger ( a 30 000 word dictionary swells to 630 000), but still managble if you compare it with the brute force approach.
get l0pht crack 4
LC4 is definitely the best tool for password recovery, but there is a selection of others (downloadable from the site in many cases) at http://members.aol.com/jpeschel/crack.htm
Cheers
Stuart