Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


What are good password rules and length-reqs? Password cracking software?

Posted on 2003-03-19
Medium Priority
Last Modified: 2008-03-10
We are using soft certificates stored as pkcs#12 tokens. The only security to protect them is a password. Further it is not possible to revoke/abort after i.e 3 password attempts. The certificates has a lifespan of one year.

We need to better understand how to help users choose a good password, and would need a tool to understand how easy it is to crack a password. Are there any good literature ( preferably on the net ) on this?  Any source for password crack tools so we can evaluate our rules against these.

What are your thoughts and recomendations on this?

We fully understand the risk virus and trojans pose to a system like this, so no need to discuss that here.
Question by:Bedroc

Accepted Solution

esmogen earned 152 total points
ID: 8165407
You can try this, it's pretty straightforward:

Assisted Solution

jackb022197 earned 148 total points
ID: 8166049
Password selection is part of a password policy - see http://www.security.state.mn.us/password_policy.pdf for an example.

LC4 (http://www.atstake.com/research/lc/) is a great password auditing and recovery application.

Other password cracking, recovery or management tools can be found at http://www.passwordportal.net/



Expert Comment

ID: 8166567
http://www.alw.nih.gov/Security/Docs/passwd.html gives a very straightforward one page list of recommendations for choosing a passowrd.

LC4 is definitely the best tool for password recovery, but there is a selection of others (downloadable from the site in many cases) at http://members.aol.com/jpeschel/crack.htm



Expert Comment

ID: 8201927
There are basically two ways to crack a password:

* Dictionary search
* Brute force search

In a dictionary search you assume that the users have choosen passwords that can be found in a common dictionary. If you combine lets say the 20 000 most common (short) words, 5 000 most common person names (and variants of common names) and 5 000 names of places you get a good crack dictionary. These dictionaries can be downloaded from the net.

In a brute force search the attacker just generates all possible combinations.

The key to making a password hard to guess is making sure that the attacker must guess many times before he has tried every possible password.

Lets assume that each guess takes one time unit(=tu).

A dictionary attack with a 30 000 word dictionary takes 20 000 tu.

A brute force attack takes (number of unique signs in the alfabet) ^ (number of characters in the password)

Example: A password that only contains lowercase letters has 26 unique signs in its alfabet. If the password is six characters longs the total time is 26^6= 309 *10^6 tu. This password is about 10 000 times stronger than the password that could be found by the dictionary cracker.

In order to improve the strength of password you can either increase the minimum length of the password or increase the number of unique signs in the alfabet.

Example: Lets assume that the password consisted of not only lowercase letters but also uppercase letters and the numbers 0-9. This results in a password strength of 62^6 = 56.8 * 10^9 which is about 184 times stronger.

Example: Lets assume that the passord length is eight insted of six. 26^8= 208 * 10^9 which is about 676 times stronger.

The main problem of creating a good password policy os to balance the need to have strong passwords against the users need to have easy to remember passwords. If you don't manage to explain to the users how to choose good passwords and why they will obey the letter of the rule but find some way to create passwords that are legal, but easy to remember and therefor to guess.

Example: In many security policies dictionary words are forbidden as passwords. The policy might also include a rule that says that the password must contain at least one digit. As people likes passwords that are easy to remember they combine a word with a single digit either before or after the word. This creates passwords that are very easy to crack. Just expand your dictionary. It will be a bit larger ( a 30 000 word dictionary swells to 630 000), but still managble if you compare it with the brute force approach.  

Expert Comment

ID: 8224545
get l0pht crack 4

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question