Notifications

Clear all

Password Strength

Cults14 · 2013-06-06T16:48:20Z

Was wondering what the experience out there is on what qualifies as a strong password.Scenario is that we're trying to put together internal guidance on when to use passwords to protect data files and how complex a password needs to be to defeat all but the most determined attacker.I appreciate this is more of an InfoSec Policy thing, assuming attempted unauthorised access though, I thought this forum was as good a place as any to get feedback on the quality of advice we might give out on password strength.Seems to me that mnemonics, with some internalised rules about where to place uppercase, lowercase, special characters and numbers might be the best way forward.For example, "mHa!l4liFw$wa82s" is the first two lines of "Mary had a Little Lamb" with placing I'll remember of uppercase, special characters and numbers to conform with guidelines I've read up on. So for any individual, the initial letters of favourite songs or verses (or any sequence of easily-remembered words - family member names in descending sequence for example?) combined with other components of a complex password, could work well?I'm still struggling with the concept of how to safely transmit/store passwords in cases where authorised access by others is or may in future be required.Any thoughts out there?

Page 4 / 4 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by AFENTIS_Forensics 12 years ago

35 Posts

14 Users

0 Reactions

4,370 Views

RSS

MDCR

(@mdcr)

Reputable Member

Joined: 15 years ago

Posts: 376

13/06/2013 3:53 am

Speaking of XKCD

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

13/06/2013 5:49 am

Speaking of XKCD

Yep D
Consider that with most people you can also save the money for the drugs and the $ 5 for the wrench, telling them in an appropriate tone "IF you don't give me the password I WILL hit you with a wrench" is enough. wink

jaclaz

ReplyQuote

Cults14

(@cults14)

Reputable Member

Joined: 17 years ago

Posts: 367

Topic starter 04/09/2013 10:02 pm

Well I said I'd get back with results from my rather crude test.

Just to re-state, I created 2 Word 2010 documents, one with password "Abcc" and the other with password "Abccd"

My setup is a dual core Intel P8600 runnig 2.4Ghz, 8GB RAM with Win7 Enterprise, with PRTK 6. Abcc took 10 hours to crack, Abccd was still trying nearly 4 weeks later and PRTK hung

Vendor setup is considerably more powerful with more RAM, more cores, and hardware acceleration with Passware. Abcc took 2 hours, Abccd was still trying 11 days later so they cancelled

We were just trying brute force attacks

Conclusion? Mine is that an 8-character (upper amnd lower case, no more compliacted than that)password created in an Office 2007 or later document will thwart casual/opportunistic attempts. That's all we were trying to establish

Cheers

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

04/09/2013 10:33 pm

Just to re-state, I created 2 Word 2010 documents, one with password "Abcc" and the other with password "Abccd"

Yep ) but that is "a tadbit" narrowing the topic.
I mean we started with "generic" strength of a password, we are now gone to "specific" Word2010 .docx format and very specific to the PRTK "cracking" tool, and even more specifically with this running on a - no offence whatever intended - comparatively low power hardware.

It is very possible that other vendors solutions (or even the same one ) particularly if run on a "dedicated" hardware making use of GPU(s) and/or using some form of parallelism will be able to get at your 8 characters password in a "reasonable" amount of time.

The graph data on this site
http//www.elcomsoft.com/aopr.html
sets the ratio for single GPU usage compared to a an Intel Core2 Quad CPY @2.66 GHz (i.e. already in theory much faster than your setup)
for Office 2010 @20000/370=54x
for Office 2013 @1360/40=34x

This should mean roughly that you ten hours for Abcc become more like 10 minutes. 😯
The "several weeks" may become days.

But the conclusion

Conclusion? Mine is that an 8-character (upper amnd lower case, no more compliacted than that)password created in an Office 2007 or later document will thwart casual/opportunistic attempts.

sounds perfectly "logic" D and provides a good "practical" reference, very, very useful.

jaclaz

ReplyQuote

AFENTIS_Forensics

(@afentis_forensics)

Eminent Member

Joined: 18 years ago

Posts: 47

04/09/2013 11:55 pm

risk is managed, rarely eliminated, and when you are balancing security, the real world is full of trade-offs. defence in depth is always a good idea, rather than reliance upon a single element. I'd strongly recommend moving towards two-factor authentication but also consider that a good password management system should be backed up with a solid audit and response process.

a tad (un)related - interesting little opinion piece by bruce schneier - http//www.wired.com/opinion/2013/09/black-budget-what-exactly-are-the-nsas-cryptanalytic-capabilities/

quite fascinating to consider 35,000 people and $11 *billion* spent annually on developing ways to enhance but also compromise digital defences. $11bn will buy you a seriously big wrench -)

Regards, Ross

ReplyQuote

Page 4 / 4 Prev

8 Forums
15.7 K Topics
92.3 K Posts
180 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed