[148092] in North American Network Operators' Group
Re: AD and enforced password policies
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Jan 2 21:17:21 2012
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <alpine.OSX.1.10.1201021808490.21499@peregrin.orthanc.ca>
Date: Mon, 2 Jan 2012 21:16:28 -0500
To: Lyndon Nerenberg <lyndon@orthanc.ca>
Cc: "Nanog@nanog.org" <Nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote:
>> I just went through some calculations for a (government) site that =
has the
>> following rules:
> [...]
>> Under the plausible assumption that very many people will start with =
a string
>> of digits, continue with a string of lower-case letters to reach =
seven characters,
>> and then add a period, there are only ~5,000,000,000 choices. That's =
not many at
>> all -- but the rules look just fine...
>=20
> 1234;lkj rolls off the fingers quite nicely, don't you think?
>=20
OK -- let's let the set of punctuation be .,; and allow seven choices =
for where
it goes. That increases the work factor by 21 -- still not that large a =
space
for someone with a good botnet.=20
The real question is what you're trying to protect. If the attacker's =
goal is
to get *some* password, then I think he or she will get succeed, because
I think that very many people will follow my assumed pattern -- enough =
that
the attacker has a good chance of winning. Sure, some people will pick =
stronger
ones -- but that isn't the point of the exercise. Passwords and =
password rules
are the *enemy* to most people.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
