|
I have a few thoughts on passwords and password rules that I hope someone will find useful. 1. Length > Complexity: Paul E. Musselman wrote on 07/03/2007 22:14:46:
Using letters and numbers, 6 characters will give 26x36x36x36x36x36 = 1,572,120,576 possible passwords.
I'll use this as a reference point, size of the search space = S1. Using all of the characters that Mike suggested in his initial message:
Must contain at least 3 of the following 4 One lower case alpha character (a-z) One upper case alpha character (A-Z) One numeric character (0-9) One special character> (!@#$%^&*()=+{}[]|\:;"'<>,.?/) < <mailto:!@#$%^&*()=+{}[]|\:;>,.?/)>
We have a total of 26 lower case + 26 uppercase + 10 digts + 31 special characters = 93 possible characters for each position. Password length 6: Total passwords = 83x93^5 = 577 421 346 519 ~= 3 x 10^3 x S1 Password length 10 (letters and numbers only): Total passwords = 26x36^9 = 2.64055887 × 1015 ~= 1.68 x 10^6 x S1 Password length 10 (all available characters): Total passwords = 83x93^9 = 4.31941199 × 1019 ~= 2.74 x 10^10 x S1 Notice that increasing the minimum length from 6 to 10 is more effective (against a brute-force attack) than requiring a whole bunch of 'non-word' characters but leaving the length at 6. 2. People are lazy. Despite your best efforts to prevent people using dictionary words, 80% of people will find something simple (and easily attackable). For example, given the rules that Mike's organization is proposing, my password could be AdamG1. This is particularly bad if my login is ADAMG. As Brian Lewis said, simply mixing dictionary words with numbers (especially since most people will stick the number on the end) reduces the difficulty of attacking the passwords considerably. 3. People don't think about security too much. "Hey - I forgot my password. Can you log in for me?" You'd be shocked how many people will do this. Given the three points above, I would say that promoting security awareness will be far more effective than any ruleset you can come up with. That said, a simple rule like "your password must be at least 15 characters long and contain at least one number" might be just as effective as your proposed rules. It will probably be easier for users to combine two or more dictionary words than to come up with one 15 character word. I *think* that the search space difference between "one word plus a number" and "two or more dictionary words" is probably pretty significant. HTH, Adam Attention: The information contained in this message and or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this message in error, please contact the sender and delete the material from any system and destroy any copies. Thank you for your time and consideration. Attention: Le contenu de ce message et(ou) les fichiers ci-joints s?adressent exclusivement à la personne ou -entité à laquelle ils sont destinés. Ils peuvent contenir de l?information confidentielle, protégée et(ou) classifiée. Il est strictement interdit à toute personne ou entité autre que le(la) destinataire prévu(e) de ce message d?examiner, de réviser, de retransmettre ou de diffuser cette information, de prendre une quelconque action en fonction ou sur la base de celle-ci, ou d?en faire tout autre usage. Si vous avez reçu ce message par erreur, veuillez communiquer avec l?expéditeur(trice), supprimer ce message et les fichiers ci-inclus de tout système, et en détruire toutes copies, qu?elles soient électroniques ou imprimées. Nous vous remercions de votre entière collaboration.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.