[148090] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: AD and enforced password policies

daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Jan 2 20:46:32 2012

From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <CAMfXtQx-jS5i2gkd7W9H3wYQZB5q+YVUjgMw1K_3V2HtBvM3wg@mail.gmail.com>
Date: Mon, 2 Jan 2012 20:45:29 -0500
To: Gary Buhrmaster <gary.buhrmaster@gmail.com>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org


On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote:

> On Mon, Jan 2, 2012 at 22:32, Jimmy Hess <mysidia@gmail.com> wrote:
> ....
>> The sole root cause for "easily guessable passwords"  is  not  lack =
of
>> technical restrictions. It's also:  lazy or limited memory humans who =
need
>> passwords that they can remember.
>>=20
>> Firstname1234!    is very easy to guess, and meets complexity and =
usual
>> length requirements.
>=20
> Obligatory xkcd reference:  http://xkcd.com/936/
>=20
Thanks; you saved me the trouble.

There's a discussion of the topic going on right now on a cryptography =
mailing
list; check out http://lists.randombit.net/mailman/listinfo/cryptography =
if you want.
Also see my (mostly tongue in cheek) blog post at =
https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html
and the very serious followup at =
https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html

I should add that except for targeted attacks, strong passwords are =
greatly
overrated; neither phishing attacks nor keystroke loggers care how good =
your=20
password is.

I just went through some calculations for a (government) site that has =
the
following rules:

      Minimum Length : 8
      Maximum Length : 12
      Maximum Repeated Characters : 2
      Minimum Alphabetic Characters Required : 1
      Minimum Numeric Characters Required : 1
      Starts with a Numeric Character
      No User Name
      No past passwords
      At least one character must be =
~!@#$%^&*()-_+\verb!+=3D{}[]\|;:/?.,<>"'`!

Under the plausible assumption that very many people will start with a =
string
of digits, continue with a string of lower-case letters to reach seven =
characters,
and then add a period, there are only ~5,000,000,000 choices.  That's =
not many at
all -- but the rules look just fine...



		--Steve Bellovin, https://www.cs.columbia.edu/~smb
home help back first fref pref prev next nref lref last post