In most high-security environments password policies are quickly
becoming outmoded because processing and storage capacity have become
cheap and exponentially greater over a very short period of time. There
are a set of formulas that you can use to calculate the probability of
success of password guessing attacks. These are published in the
Department of Defense Password Management Guideline (CSC-STD-002-85),
among other places.
The problem is that precomputational guessing attacks like RainbowCrack
for NTLM and AsLeap for Cisco LEAP have cut the amount of actual time
necessary to calculate a password from its ciphertext to a minute
fraction of what previous dictionary or brute-force attacks required.
And though you can use an unseemly password policy to make these attacks
difficult now, storage and processing capacity will continue to become
greater and cheaper. However, I don't expect that we'll start adding
more characters to our keyboards at a rate that can keep up.
PaulM
> -----Original Message-----
> Decide on password guidelines like alpha-numeric, mixed case, and one
> special character, and leave it to a dll like passfilt.dll or
> something similar. Yellow stickies just comes down to end-user
> education, and a good password policy. If the requirements are: "14
> random alpha-numeric chars, with 5 special chars and mixed case.. OH,
> and change it weekly" you will most likely have a sticky note
> problem.. if it's: "7 chars, alpha-numeric, one special char and mixed
> case changing every 42 days
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Apr 23 2004
Intro
