What are good password rules and length-reqs? Password cracking software?

Posted on 2003-03-19
Medium Priority
Last Modified: 2008-03-10
We are using soft certificates stored as pkcs#12 tokens. The only security to protect them is a password. Further it is not possible to revoke/abort after i.e 3 password attempts. The certificates has a lifespan of one year.

We need to better understand how to help users choose a good password, and would need a tool to understand how easy it is to crack a password. Are there any good literature ( preferably on the net ) on this?  Any source for password crack tools so we can evaluate our rules against these.

What are your thoughts and recomendations on this?

We fully understand the risk virus and trojans pose to a system like this, so no need to discuss that here.
Question by:Bedroc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

esmogen earned 152 total points
ID: 8165407
You can try this, it's pretty straightforward:

Assisted Solution

jackb022197 earned 148 total points
ID: 8166049
Password selection is part of a password policy - see http://www.security.state.mn.us/password_policy.pdf for an example.

LC4 (http://www.atstake.com/research/lc/) is a great password auditing and recovery application.

Other password cracking, recovery or management tools can be found at http://www.passwordportal.net/



Expert Comment

ID: 8166567
http://www.alw.nih.gov/Security/Docs/passwd.html gives a very straightforward one page list of recommendations for choosing a passowrd.

LC4 is definitely the best tool for password recovery, but there is a selection of others (downloadable from the site in many cases) at http://members.aol.com/jpeschel/crack.htm



Expert Comment

ID: 8201927
There are basically two ways to crack a password:

* Dictionary search
* Brute force search

In a dictionary search you assume that the users have choosen passwords that can be found in a common dictionary. If you combine lets say the 20 000 most common (short) words, 5 000 most common person names (and variants of common names) and 5 000 names of places you get a good crack dictionary. These dictionaries can be downloaded from the net.

In a brute force search the attacker just generates all possible combinations.

The key to making a password hard to guess is making sure that the attacker must guess many times before he has tried every possible password.

Lets assume that each guess takes one time unit(=tu).

A dictionary attack with a 30 000 word dictionary takes 20 000 tu.

A brute force attack takes (number of unique signs in the alfabet) ^ (number of characters in the password)

Example: A password that only contains lowercase letters has 26 unique signs in its alfabet. If the password is six characters longs the total time is 26^6= 309 *10^6 tu. This password is about 10 000 times stronger than the password that could be found by the dictionary cracker.

In order to improve the strength of password you can either increase the minimum length of the password or increase the number of unique signs in the alfabet.

Example: Lets assume that the password consisted of not only lowercase letters but also uppercase letters and the numbers 0-9. This results in a password strength of 62^6 = 56.8 * 10^9 which is about 184 times stronger.

Example: Lets assume that the passord length is eight insted of six. 26^8= 208 * 10^9 which is about 676 times stronger.

The main problem of creating a good password policy os to balance the need to have strong passwords against the users need to have easy to remember passwords. If you don't manage to explain to the users how to choose good passwords and why they will obey the letter of the rule but find some way to create passwords that are legal, but easy to remember and therefor to guess.

Example: In many security policies dictionary words are forbidden as passwords. The policy might also include a rule that says that the password must contain at least one digit. As people likes passwords that are easy to remember they combine a word with a single digit either before or after the word. This creates passwords that are very easy to crack. Just expand your dictionary. It will be a bit larger ( a 30 000 word dictionary swells to 630 000), but still managble if you compare it with the brute force approach.  

Expert Comment

ID: 8224545
get l0pht crack 4

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question