|
List Info
Thread: RE: Password complexity - improvement
|
|
| RE: Password complexity - improvement |
|
2007-08-15 17:46:17 |
Ansgar,
You're absolutely wrong in your statement here. Enforcing
passwords
that MUST consist of uppercase letters, lowercase letter,
numbers AND
special characters INCREASES the total number of possible
passwords;
which in turn has a positive impact on your security.
It is much harder to break a password of AaBb1! than aabb1!
The more
options there are that are enforced, the more complex the
passwords.
The determining factor in this case would be how long or
short the
password lengths are.
R/
Jackson
-----Original Message-----
From: listbounce securityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, August 15, 2007 2:39 PM
To: focus-mssecurityfocus.com
Subject: Re: Password complexity - improvement
On 2007-08-15 dubaisans dubai wrote:
> Is there a way to improve the password complexity
requirements in
> Windows 2000/2003 servers
>
> The default will enforce 3 of the following 4
properties - Uppercase,
> smallercase, numbers, special-characters.
>
> Is there a way to enforce all 4 properties.
Enforcing passwords that MUST consist of uppercase letters,
lowercase
letters, numbers AND special characters reduces the total
number of
possible passwords, which in consequence has a negative
impact on your
security.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior
to patches
becoming available."
--Jason Coombs on Bugtraq
|
|
| RE: Password complexity - improvement |
|
2007-08-16 12:55:15 |
Don't confuse password strength with the number of passwords
available.
Ansgar is correct with the math permutations. Any limitation
reduces
your population set to fewer possible passwords, weak or
not.
~Dave
-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Jackson, Eric R IT3 (CVN75 CS-3)
Sent: Wednesday, August 15, 2007 4:46 PM
To: Ansgar -59cobalt- Wiechers
Cc: focus-mssecurityfocus.com
Subject: RE: Password complexity - improvement
Ansgar,
You're absolutely wrong in your statement here. Enforcing
passwords
that MUST consist of uppercase letters, lowercase letter,
numbers AND
special characters INCREASES the total number of possible
passwords;
which in turn has a positive impact on your security.
It is much harder to break a password of AaBb1! than aabb1!
The more
options there are that are enforced, the more complex the
passwords.
The determining factor in this case would be how long or
short the
password lengths are.
R/
Jackson
-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, August 15, 2007 2:39 PM
To: focus-mssecurityfocus.com
Subject: Re: Password complexity - improvement
On 2007-08-15 dubaisans dubai wrote:
> Is there a way to improve the password complexity
requirements in
> Windows 2000/2003 servers
>
> The default will enforce 3 of the following 4
properties - Uppercase,
> smallercase, numbers, special-characters.
>
> Is there a way to enforce all 4 properties.
Enforcing passwords that MUST consist of uppercase letters,
lowercase
letters, numbers AND special characters reduces the total
number of
possible passwords, which in consequence has a negative
impact on your
security.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior
to patches
becoming available."
--Jason Coombs on Bugtraq
------------------------------------------------------------
--------
"*** NOTICE *** The information in this communication
and any
attachment may contain confidential and proprietary
information of
Security Connections, Inc. and/or its affiliates and may be
privileged or otherwise protected from disclosure. If you
are not the
intended recipient, you are hereby notified that any review,
reliance, duplication or distribution without express
permission is
strictly prohibited and may cause liability. If you have
received this
communication in error, please notify the sender immediately
by
reply email and delete or destroy all copies of this
communication
and any attachments. Any views expressed in this
communication
are those of the individual sender, except where authorized
and
explicitly stated otherwise."
|
|
| RE: Password complexity - improvement |
|
2007-08-16 13:06:23 |
I think you are arguing two different points here.
One is the number of possible passwords and the other is
negative impacts on security.
He is correct when he says it reduces the number of
passwords, but incorrect when he says it diminishes
security.
In the example you give below, if all four aspects are
enforced, then the second password could not be used. This
does in fact "reduce the number of possible
passwords".
Another example would be the difference between requiring
that a password be exactly 8 characters in length, and
allowing a password to be any length up to 8 characters.
The latter would allow for a lot more possible
combinations,
but does not remove the fact that a 1 character password is
not nearly as secure.
Just my 2 cents.
John Wienand
Network Services Manager
BNA Software
O: 202-496-6001 C: 202 329-1095
"Jackson,
Eric R IT3
(CVN75 To
CS-3)" "Ansgar
-59cobalt-
<jacksercv Wiechers"
n75.navy.mi <bugtraqplanetcobalt.net>
l>
cc
Sent by: <focus-mssecurityfocus.co
listbounce m>
securityfoc Subject
us.com RE: Password complexity -
improvement
08/15/2007
06:46 PM
Ansgar,
You're absolutely wrong in your statement here. Enforcing
passwords
that MUST consist of uppercase letters, lowercase letter,
numbers AND
special characters INCREASES the total number of possible
passwords;
which in turn has a positive impact on your security.
It is much harder to break a password of AaBb1! than aabb1!
The more
options there are that are enforced, the more complex the
passwords.
The determining factor in this case would be how long or
short the
password lengths are.
R/
Jackson
-----Original Message-----
From: listbouncesecurityfocus.com
[mailto:listbouncesecurityfocus.com]
On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Wednesday, August 15, 2007 2:39 PM
To: focus-mssecurityfocus.com
Subject: Re: Password complexity - improvement
On 2007-08-15 dubaisans dubai wrote:
> Is there a way to improve the password complexity
requirements in
> Windows 2000/2003 servers
>
> The default will enforce 3 of the following 4
properties -
Uppercase,
> smallercase, numbers, special-characters.
>
> Is there a way to enforce all 4 properties.
Enforcing passwords that MUST consist of uppercase letters,
lowercase
letters, numbers AND special characters reduces the total
number of
possible passwords, which in consequence has a negative
impact on your
security.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior
to
patches
becoming available."
--Jason Coombs on Bugtraq
|
|
| RE: Password complexity - improvement |
|
2007-08-16 13:12:32 |
On 15 Aug 2007 at 18:46, Jackson, Eric R IT3 (CVN75 CS-3)
wrote:
> You're absolutely wrong in your statement here.
Enforcing passwords
> that MUST consist of uppercase letters, lowercase
letter, numbers AND
> special characters INCREASES the total number of
possible passwords;
> which in turn has a positive impact on your security.
Eric, I am sure you are the one who is wrong 
1.
Even if you do not enforce this policy, no one is forbidden
to use complex
passwords, so how does enforcing the policy increase the
number of possible
passwords?
2.
In fact, the number of posibilities DO decrease with this
policy.
Example A:
Let us assume you have a policy which enforces uppercase,
lowercase and
numbers, and a password length of 3.
For one character, you have 26+26+10 = 62 possibilities
For the next character, you have 26+10 = 32 possibilities
left
For the third character, you have 10 possibilities left
So you have a total of 62*32*10 possibilities WITH enforced
complexity
Example B:
Let us assume you have no special policy regarding the
complexity, but also a
password length of 3.
For the first character, you have 26+26+10 = 62
possibilities
For the second character, you have 26+26+10 = 62
possibilities
For the third character, you have 26+26+10 = 62
possibilities
So you have a total of 62*62*62 possibilities WITHOUT
enforced complexity
Of course, a length of 3 chars is only for demonstration
purposes here
Have fun
Frank Heyne
|
|
| Re: Password complexity - improvement |
|
2007-08-17 05:10:13 |
If "3 of the following 4 properties - Uppercase,
smallercase, numbers, special-characters" are enforced,
then a
dictionary attack is unlikely to work* and an attacker would
need to
resort to a brute force approach.
Unless the attacker has additional knowledge about the
password, with
3 of the properties enforced, he/she would have to include
all upper
case, lower case, numbers and special characters to be
certain that
the password will be found. As others have already
mentioned, when a
brute force method is employed, password length is a more
important
factor.
I would think that a higher level of security (than the
current
configuration) would be reached by increasing the minimum
password
length and ensuring that weak hashing is not used for
caching/network
transmission of credentials than by spending time
customising library
code (which could introduce new risks if mistakes are made)
trying to
ensure that all 4 properties are enforced. The increased
length would
of course have to be weighed against user inconvenience.
* Ansgar previously mentioned that bn4Na could be still
susceptible
to a dictionary attack with reference to user education.
IMO, this
adds even more weight to the argument that password length
should be
increased. I doubt that there are many 20 character
examples
(complying with the existing password policy) that would be
susceptible.
On 8/16/07, John Wienand <JWienandbna.com> wrote:
> I think you are arguing two different points here.
>
> One is the number of possible passwords and the other
is
> negative impacts on security.
>
> He is correct when he says it reduces the number of
> passwords, but incorrect when he says it diminishes
> security.
>
> In the example you give below, if all four aspects are
> enforced, then the second password could not be used.
This
> does in fact "reduce the number of possible
passwords".
>
> Another example would be the difference between
requiring
> that a password be exactly 8 characters in length, and
> allowing a password to be any length up to 8
characters.
> The latter would allow for a lot more possible
combinations,
> but does not remove the fact that a 1 character
password is
> not nearly as secure.
>
> Just my 2 cents.
>
> John Wienand
> Network Services Manager
> BNA Software
> O: 202-496-6001 C: 202 329-1095
>
>
>
> "Jackson,
> Eric R IT3
> (CVN75
To
> CS-3)" "Ansgar
-59cobalt-
> <jacksercv Wiechers"
> n75.navy.mi <bugtraqplanetcobalt.net>
> l>
cc
> Sent by: <focus-mssecurityfocus.co
> listbounce m>
> securityfoc
Subject
> us.com RE: Password
complexity -
> improvement
>
> 08/15/2007
> 06:46 PM
>
>
>
>
>
>
>
> Ansgar,
>
> You're absolutely wrong in your statement here.
Enforcing
> passwords
> that MUST consist of uppercase letters, lowercase
letter,
> numbers AND
> special characters INCREASES the total number of
possible
> passwords;
> which in turn has a positive impact on your security.
>
> It is much harder to break a password of AaBb1! than
aabb1!
> The more
> options there are that are enforced, the more complex
the
> passwords.
> The determining factor in this case would be how long
or
> short the
> password lengths are.
>
> R/
> Jackson
>
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com]
> On Behalf Of Ansgar -59cobalt- Wiechers
> Sent: Wednesday, August 15, 2007 2:39 PM
> To: focus-mssecurityfocus.com
> Subject: Re: Password complexity - improvement
>
> On 2007-08-15 dubaisans dubai wrote:
> > Is there a way to improve the password complexity
> requirements in
> > Windows 2000/2003 servers
> >
> > The default will enforce 3 of the following 4
properties -
> Uppercase,
> > smallercase, numbers, special-characters.
> >
> > Is there a way to enforce all 4 properties.
>
> Enforcing passwords that MUST consist of uppercase
letters,
> lowercase
> letters, numbers AND special characters reduces the
total
> number of
> possible passwords, which in consequence has a
negative
> impact on your
> security.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period
prior to
> patches
> becoming available."
> --Jason Coombs on Bugtraq
>
>
>
>
>
|
|
| RE: Password complexity - improvement |
|
2007-08-17 09:57:30 |
OK- time for "real world thinking" to be applied
;)
First off, Ansgar is completely correct - I was wrong to
poke fun.
Requiring aspects of complexity does indeed limit the
possible passwords
in that, say, "May I momma dogface to the banana
patch?" could never be
used.
While no restrictions on a password policy would always
allow for mixed
case alphanumeric (and specials characters) to be used,
having a policy
in place "forces" them to be used. In this case,
the fact that you have
"reduced possible passwords" does not matter in
the least, as all BF
efforts or rainbow table generation would *require* that all
possible
combinations still be used since you don't know where in the
phrase what
characters were being used. If the point is that you could
"drop out"
certain characters strings while doing a BF or RT generation
in the case
that you knew the password policy being used in order to
speed up the
process, I would argue that generating the string, then
looking at it to
see if it is complex enough to be hashed and compared would
take longer
than just hashing and comparing in the first place.
That being said, forcing password complexity ensures that a
minimum
keyspace be used (as opposed to just hoping) and thus has a
positive
impact on security regardless of what "the math
says" in regard to
reducing possible (and weaker) passphrases.
t
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com] On Behalf Of John
Wienand
> Sent: Thursday, August 16, 2007 11:06 AM
> To: Jackson, Eric R IT3 (CVN75 CS-3)
> Cc: Ansgar -59cobalt- Wiechers; focus-mssecurityfocus.com;
> listbouncesecurityfocus.com
> Subject: RE: Password complexity - improvement
>
> I think you are arguing two different points here.
>
> One is the number of possible passwords and the other
is
> negative impacts on security.
>
> He is correct when he says it reduces the number of
> passwords, but incorrect when he says it diminishes
> security.
>
> In the example you give below, if all four aspects are
> enforced, then the second password could not be used.
This
> does in fact "reduce the number of possible
passwords".
>
> Another example would be the difference between
requiring
> that a password be exactly 8 characters in length, and
> allowing a password to be any length up to 8
characters.
> The latter would allow for a lot more possible
combinations,
> but does not remove the fact that a 1 character
password is
> not nearly as secure.
>
> Just my 2 cents.
>
> John Wienand
> Network Services Manager
> BNA Software
> O: 202-496-6001 C: 202 329-1095
>
>
>
> "Jackson,
> Eric R IT3
> (CVN75
To
> CS-3)" "Ansgar
-59cobalt-
> <jacksercv Wiechers"
> n75.navy.mi <bugtraqplanetcobalt.net>
> l>
cc
> Sent by: <focus-mssecurityfocus.co
> listbounce m>
> securityfoc
Subject
> us.com RE: Password
complexity -
> improvement
>
> 08/15/2007
> 06:46 PM
>
>
>
>
>
>
>
> Ansgar,
>
> You're absolutely wrong in your statement here.
Enforcing
> passwords
> that MUST consist of uppercase letters, lowercase
letter,
> numbers AND
> special characters INCREASES the total number of
possible
> passwords;
> which in turn has a positive impact on your security.
>
> It is much harder to break a password of AaBb1! than
aabb1!
> The more
> options there are that are enforced, the more complex
the
> passwords.
> The determining factor in this case would be how long
or
> short the
> password lengths are.
>
> R/
> Jackson
>
> -----Original Message-----
> From: listbouncesecurityfocus.com
> [mailto:listbouncesecurityfocus.com]
> On Behalf Of Ansgar -59cobalt- Wiechers
> Sent: Wednesday, August 15, 2007 2:39 PM
> To: focus-mssecurityfocus.com
> Subject: Re: Password complexity - improvement
>
> On 2007-08-15 dubaisans dubai wrote:
> > Is there a way to improve the password complexity
> requirements in
> > Windows 2000/2003 servers
> >
> > The default will enforce 3 of the following 4
properties -
> Uppercase,
> > smallercase, numbers, special-characters.
> >
> > Is there a way to enforce all 4 properties.
>
> Enforcing passwords that MUST consist of uppercase
letters,
> lowercase
> letters, numbers AND special characters reduces the
total
> number of
> possible passwords, which in consequence has a
negative
> impact on your
> security.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period
prior to
> patches
> becoming available."
> --Jason Coombs on Bugtraq
>
>
>
|
|
[1-6]
|
|