±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36568
New Yesterday: 3 Visitors: 193

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Password Strength

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5  Next 
  

Cults14
Senior Member
 

Password Strength

Post Posted: Jun 06, 13 16:48

Was wondering what the experience out there is on what qualifies as a strong password.

Scenario is that we're trying to put together internal guidance on when to use passwords to protect data files and how complex a password needs to be to defeat all but the most determined attacker.

I appreciate this is more of an InfoSec Policy thing, assuming attempted unauthorised access though, I thought this forum was as good a place as any to get feedback on the quality of advice we might give out on password strength.

Seems to me that mnemonics, with some internalised rules about where to place uppercase, lowercase, special characters and numbers might be the best way forward.

For example, "mHa!l4liFw$wa82s" is the first two lines of "Mary had a Little Lamb" with placing I'll remember of uppercase, special characters and numbers to conform with guidelines I've read up on. So for any individual, the initial letters of favourite songs or verses (or any sequence of easily-remembered words - family member names in descending sequence for example?) combined with other components of a complex password, could work well?

I'm still struggling with the concept of how to safely transmit/store passwords in cases where authorised access by others is or may in future be required.

Any thoughts out there?  
 
  

jaclaz
Senior Member
 

Re: Password Strength

Post Posted: Jun 06, 13 17:56

- Cults14

Any thoughts out there?

This topic was (slightly) touched here:
www.forensicfocus.com/...c/t=10572/

The "correcthorsebatterystaple" seems still to me the most sensible approach.

You might want to make it L337, with something like:
www.brenz.net/services...7Maker.asp
(0RR3(7|-|0R53B4773R'/574PL3

or:
www.robertecker.com/hp...hp?lang=en
c0rr3c7h0r53b4773ry574pl3

or:
ratfactor.com/leet-speak-translator
Original correcthorsebatterystaple
Level I Leet c0rr3cth0rz3batt3rystapl3
Level II Super-Leet c0rr3c+h0rz3b4++3ry5+4p13
Level III Mega-L33T!!1 (0rr3(+}{0rz3b4++3r'/5+4p13


Basically a "long enough", "plain text only" password, passed through a simple letter -> unusual character substitution (which anyone can remember as long as ALL occurrences of a given letter are replaced by "the same" character or sequence of characters and have some "visual feedback" like in the examples) would IMHO do, providing a "good enough" password while avoiding to have the final user actually *need* to jolt it down on a Post It on the PC screen or inside the first drawer (the one on the left Wink ).

About transmitting/storing it, that is an unresolved issue, unless you also use some code (from the good ol'times cryptography was invented, i.e. simple enough to be unencrypted with just a piece of paper and a pencil, along an algorithm that is pre-shared and thus known), but still it is sub-optimal.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

adri
Newbie
 

Re: Password Strength

Post Posted: Jun 06, 13 18:02

Make it long and simple (but not dictionary-attack simple of course). Smile

 
 
  

Cults14
Senior Member
 

Re: Password Strength

Post Posted: Jun 06, 13 18:13

Thanks guys

I will see what else crops up here and will at some point run some ideas past some users, just in case we as people with a vested interest in this area think these types of passwords are easier to remember than they actually are!

Cheers  
 
  

athulin
Senior Member
 

Re: Password Strength

Post Posted: Jun 06, 13 20:18

- Cults14
Was wondering what the experience out there is on what qualifies as a strong password.


A rather impractical one: the strength of a password is inversely proprotional to its likelihood of being guessed. 'Summer-2013' is a password that fulfills many password guidelines (uc, lc, special character, digit), and a length > 10. Still, it's an extremely weak password.

Scenario is that we're trying to put together internal guidance on when to use passwords to protect data files and how complex a password needs to be to defeat all but the most determined attacker.


The easiest way to think about this is, I believe, is to put yourself in the attacker's position. Say you have found a login form (web application, ssh, telnet, ...) and you want to attack it.

First of all, how many guesses per second can the attacker make? That includes multiple sessions.

Then, how long until the attacker is discovered? Some systems lock you out after 20 failures. In other cases, it's not discovered until the sysadms returns from his vacation and learns that the log file of failed logins now occupies 99% of available log disk space.

One you know those parameters, you can form a conclusion: you want a password that won't be guessed over that time, with that rate of guesses per second. And then you want to up that quite a bit -- say a factor 10 or so.

However ... if the password protects a file, there will be no discovery, so that time element is gone. And the other parameter (guesses per second) is not really under your control. All you can do is make guesses about probable resources, and then try to make the attack difficult for someone with those resources only. These days, that includes resources like the Amazon EC2 compute cloud and GPU assist ...

That is, you don't want to have that kind of situation: you don't want files protected by password, unless you are part of authentication process. Otherwise, detection becomes impossible.

A reasonably good way of producing password guesses, is to use the John the Ripper password cracker. You can get it to output its password guesses to file -- and that can be used as one way to decide if a password is weak -- does it appear in the first N passwords that JtR produces? (N is chosen based on your own authentication situation.)

Seems to me that mnemonics, with some internalised rules about where to place uppercase, lowercase, special characters and numbers might be the best way forward.


The best way forward is to avoid passwords. If you for some reason is stuck with passwords (in which I include passphrases), the best way forward is to make them random. Any rules you apply reduce the search space.

Same thing with those rules of 'at least one uppercase, one lowercase, one special, and one digit': they reduce the search space, and must be matched with a corresponding increase in the minimum length of the password.

Any thoughts out there?


Don't go there on your own. Get in touch with an authentication / information secuirty specialist, who can look at your problem from all sides, including those you haven't mentioned or even thought of. And who can make a recommendation based on that.

If you must do it yourself, at least read the book 'Authentication' by Richard Smith first.  
 
  

Cults14
Senior Member
 

Re: Password Strength

Post Posted: Jun 06, 13 20:38

Athulin - wow.

To put some perspective on it, we need to find some kind of compromise between security(random passwords are good), utility (random passwords are hard to remember), and cost (we won't spend any money on additional hardware/software to manage file-level passwords).

And although it will be a compromise, (a) password-protection on files is better than no protection when it comes to the merely curious unauthorised person who happens to get access to a file, and (b) a strong password will deter all but the most determined attacker.

We have a system which issues random passwords for Domain Admins which are valid for 24 hours, but that's a different issue.

Will try a variety of passwords on various files though, and feedback if I can

Cheers  
 
  

Xennith
Senior Member
 

Re: Password Strength

Post Posted: Jun 06, 13 21:27

Correcthorsebatterystaple type passwords are great against bruteforce but less wonderful against dictionary hybrid attacks with a rule along the lines of %w%w%w%w. This kind of hybridised attack is gaining popularity and it really does perform very well against a wide spectrum of password types.

I'd avoid random strings that you need to write down, if you're mandating these you might as well start handing out postit notes.

The "pick a song and permute the first letters of each word" type passphrases are a personal favorite, if you mandate them at over 12 chars in length with upper, lower, and either number or symbol I think you're doing pretty well. Basically as long as your password doesn't appear in JTR's little dictionary you're already ahead of the curve. You could even move to a post password world and use certificates and tokens.

Oh, and it wouldn't kill you to do an audit from time to time, anything you break in a week is too weak.

As far as the question of key exchange, this is a problem as old as cryptography. The rule of thumb is that the key and the data must be sent over two seperate channels. Emailing someone the data and then phoning them with the password for example.  
 

Page 1 of 5
Page 1, 2, 3, 4, 5  Next