Date: Sun, 15 Dec 1996 12:53:42 GMT From: rb@gid.co.uk (Bob Bishop) To: Terry Lambert <terry@lambert.org>, proff@iq.org (Julian Assange) Cc: security@freebsd.org, hackers@freebsd.org Subject: Re: vulnerability in new pw suite Message-ID: <v01540b04aed9945c1391@[194.32.164.2]>
next in thread | raw e-mail | index | archive | help
At 2:23 pm 14/12/96, Terry Lambert wrote: >I've noticed a similar restriction on the search space is caused by >enforcing password length and use of particular values (digits, >control characters, and capitalization) > >Once we add in "non-pronouncible" and "not in dictionary" and so on, >I think that eventually, in the interests of "security", users will >be forced to choose from a list of 10 or so "sufficiently safe" >passwords. > >Of course, once that happens, we'll just publish the list... any >restriction on "allowed values" is an implicit restriction of the >search space a cracker is required to search, and makes cracking >just that much easier. Apologies if my irony detector is malfunctioning, but I can't let this one go :-) There are something over 10^14 usable 8 character passwords. Of these, maybe 10^5 are in dictionaries, and maybe another 100 'guessables' per user could be found easily by trawling the user's home directory and points south. Throw in a few more (SO's name, phone number and the like) and maybe you can get up to c. 2 x 10^5 passwords per user that are unsafe. That still leaves comfortably over 10^14 comparatively safe 8 character passwords. So there isn't actually a problem, it's just that those pesky users will insist on picking passwords from the unsafe set. They use lame excuses like "I cant remember %bSx48&J". Insisting on one non-alphanumeric character reduces the total search space right enough, to between 10^13 and 10^14, but it almost certainly forces the password out of the much smaller unsafe set. You can introduce a few such restrictions before the total search space falls below 10^12 which is probably good enough. At least, it's *much* better than 10^5. -- Bob Bishop (0118) 977 4017 international code +44 118 rb@gid.co.uk fax (0118) 989 4254 between 0800 and 1800 UK
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v01540b04aed9945c1391>