[586] in Kerberos
password checking
daemon@TELECOM.MIT.EDU (Mark Lillibridge)
Tue Jan 10 13:46:54 1989
From: Mark Lillibridge <chariot@ATHENA.MIT.EDU>
To: mar@ATHENA.MIT.EDU
Cc: steiner@ATHENA.MIT.EDU, Saltzer@ATHENA.MIT.EDU, sms-dev@ATHENA.MIT.EDU,
In-Reply-To: <mar@ATHENA.MIT.EDU>'s message of Mon, 9 Jan 89 19:02:40 EST <8901100002.AA20757@TOTO.MIT.EDU>
Reply-To: chariot@ATHENA.MIT.EDU
> From: <mar@ATHENA.MIT.EDU>
> Date: Mon, 9 Jan 89 19:02:40 EST
>
> Having listened to the discussion I've started, I'd like to propose
> that a library routine be written to do password quality checking. It
> would take as input the /etc/password line or other available
> information about the user concatenated together, the proposed
> password, and previously used passwords/keys if available. It would
> rate the password on a 1-10 scale, i.e.:
> 1: password is empty string or same as account name
> 2: password is trivially derivable from real name, etc.
> 3: password is on the "100 most common passwords" list
> 4: password contains only numbers
> 5: password is 4 characters or less
> 6: password is in the dictionary
> 7: password contains only letters
> 8: password is less than 8 characters
> 9: password has been used before
> 10: looks good to us!
I have only 1 comment: I would rate #'s 1-8 as a 0, 9 as a 2,
and 10 as 4. Seriously, rules 1-8 offer next to NO protection given
current & likely future technology against a determined hacker.
Example: all 7 letter (lowercase) passwords can be tested in 1 day with
100 machines doing 1000 tries a second. (the 1000 tries a second is not
my figure and comes from the net. It may be low or high but the point
remains. The 100 machines is low. I can easy get more than that here
at Athena.)
If we are going to go to the trouble of enforcing rules to
generate a large key space we can at least do a good job. Let us assume
we want cracking someone's password to take at least a day with the
above figures. (I.e., I am looking for a LOWER bound) Then we need:
- a 5 character password drawn randomly from all 128 ASCII characters
- a 7 character password drawn randomly from lowercase+digits
- a 8 character password drawn randomly from just lowercase
Note the words "drawn randomly from". Drawn randomly from all 128 ASCII
characters means a password like "a5@98E}\" NOT "age:less". Since users
do not really draw anything randomly, to be safe we need to increase the
minimum requirements. Hence, 2 or so characters should be added onto
all of the above requirements. Note that this implies that all
passwords should really be at least 8 characters long...
I think it should be clear from the above analysis that a set of
simple rules such as proposed in the previous message will not increase
security much. The people cracking passwords will still be cracking
passwords successfully. The only difference is the users will now be
more annoyed when the time comes to change their passwords. I propose
instead that we get some REAL security by going to one of the methods I
outlined in a previous message (2a and 2b in my summary of the password
flames on the net).
- Mark
