× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2007

Re: password policy and system rules

I have a few thoughts on passwords and password rules that I hope someone 
will find useful.

1.  Length > Complexity:

Paul E. Musselman wrote on 07/03/2007 22:14:46:

Using letters and numbers, 6 characters will give 26x36x36x36x36x36 = 
1,572,120,576 possible passwords.


I'll use this as a reference point, size of the search space = S1.

Using all of the characters that Mike suggested in his initial message:


                 Must contain at least 3 of the following 4

                                 One lower case alpha character (a-z)

                                 One upper case alpha character (A-Z)

                                 One numeric character (0-9)

                                 One special character

 > (!@#$%^&*()=+{}[]|\:;"'<>,.?/) < <mailto:!@#$%^&*()=+{}[]|\:;> 

,.?/)>


We have a total of 26 lower case + 26 uppercase + 10 digts + 31 special 
characters = 93 possible characters for each position.

Password length 6:
Total passwords = 83x93^5 = 577 421 346 519 ~= 3 x 10^3 x S1

Password length 10 (letters and numbers only):
Total passwords = 26x36^9 =  2.64055887 × 1015  ~= 1.68 x 10^6 x S1

Password length 10 (all available characters):
Total passwords = 83x93^9 =  4.31941199 × 1019   ~= 2.74 x 10^10 x S1

Notice that increasing the minimum length from 6 to 10 is more effective 
(against a brute-force attack) than requiring a whole bunch of 'non-word' 
characters but leaving the length at 6.


2.  People are lazy.
Despite your best efforts to prevent people using dictionary words, 80% of 
people will find something simple (and easily attackable).  For example, 
given the rules that Mike's organization is proposing, my password could 
be AdamG1.  This is particularly bad if my login is ADAMG.  As Brian Lewis 
said, simply mixing dictionary words with numbers (especially since most 
people will stick the number on the end) reduces the difficulty of 
attacking the passwords considerably.

3. People don't think about security too much.
"Hey - I forgot my password.  Can you log in for me?"  You'd be shocked 
how many people will do this.


Given the three points above, I would say that promoting security 
awareness will be far more effective than any ruleset you can come up 
with.  That said, a simple rule like "your password must be at least 15 
characters long and contain at least one number" might be just as 
effective as your proposed rules.  It will probably be easier for users to 
combine two or more dictionary words than to come up with one 15 character 
word.  I *think* that the search space difference between "one word plus a 
number" and "two or more dictionary words" is probably pretty significant.

HTH,
Adam


Attention:

The information contained in this message and or attachments is 
intended only for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon, this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this message in error, please contact the sender 
and 
delete the material from any system and destroy any copies. Thank you for your 
time and consideration.

Attention: 

Le contenu de ce message et(ou) les fichiers ci-joints s?adressent 
exclusivement à la personne ou -entité à laquelle ils sont destinés. Ils 
peuvent 
contenir de l?information confidentielle, protégée et(ou) classifiée. Il est 
strictement interdit à toute personne ou entité autre que le(la) destinataire 
prévu(e) de ce message d?examiner, de réviser, de retransmettre ou de diffuser 
cette information, de prendre une quelconque action en fonction ou sur la base 
de celle-ci, ou d?en faire tout autre usage. Si vous avez reçu ce message par 
erreur, veuillez communiquer avec l?expéditeur(trice), supprimer ce message et 
les fichiers ci-inclus de tout système, et en détruire toutes copies, qu?elles 
soient électroniques ou imprimées. Nous vous remercions de votre entière 
collaboration.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.