Home page logo

basics logo Security Basics mailing list archives

RE: Suggested "safe" password length
From: JohnNicholson () aol com
Date: Fri, 14 Nov 2003 16:27:01 -0500

I think this is correct. 

As I understand it, the password encryption function breaks passwords into 7-character blocks before encrypting them. 
The impact of this is that for an 8-character password you end up with two blocks - one 7 characters and one 1 
character, each encrypted with the same function. Breaking the encryption on the single character is trivial, and then 
you know how to break the encryption on the 7 character remainder.

By inference, no attack should ever need to break more than a 7-character string (because having broken one means you 
have the key to break the others), and having multiple 7-character strings just gives an attacker 2 (or more) chances 
to hit a combination using a brute force attack.

So, I think the best length is 7-characters, using non-dictionary combinations that include special characters.

At least, this is the theory I've been using. If I'm wrong, I hope someone will let me know so I can change paradigms.


In a message dated 11/13/2003 11:37:03 PM Eastern Standard Time, "Michael LaSalvia" <mike () genxweb net> writes:

Hash: SHA1

Many people say 8 or more but I have read some where that multiples
of 7 are the best to use. It may have been in a class or something I
heard that.

- -----Original Message-----
From: Ashish Sharma [mailto:ashishs () iitg ernet in] 
Sent: Thursday, November 13, 2003 3:06 AM
To: security-basics () securityfocus com
Subject: Suggested "safe" password length

I wanted to have an idea about what should be the suggested range of
password lengths and if there is any upper bound.
I was told that there is a range upto which your password is
and beyond which the characters are futile. I work on a linux
with md5 encryption of passwords enabled.

The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]