Passwords - 64 Characters, Changed Daily? 645
isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"
"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.
What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"
One time use? (Score:5, Informative)
While you maintain a reasonably secure password you're not logging in without the token.
Anderson's formula. (Score:5, Informative)
T = N/(PG)
In this:
So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly.
Read more on Anderson's formula by googling.
Re:Simple... (Score:2, Informative)
The days when anyone on a system could just get all the encrypted passwords are long-gone. Getting encrypted passwords requires a root compromise these days. We not in the 90s anymore.
crack ratio (Score:3, Informative)
The *absolute* time taken to crack the password space is therefore a function of how long it takes to check a *single* password. This can be any length of time the password validation system wishes to implement (relative to a fixed processing resource).
There's no reason at all why passwords need to evolve to greater lengths as computers become faster. However, this inflation happens by default if the authentication system does not compensate by implementing constant time password validation as systems become faster.
A modern computer can validate a password in one microsecond that would have taken one millisecond back in the VAX days. This is one case where increased speed is not, in fact, a good thing.
Re:Just do what I do (Score:5, Informative)
Universal sign-on systems such as Kerberos can help this, by encorcing decent password selection and then making it available everywhere without permitting re-use of that small set of passwords. But it's a bear to set up in a small or mixed environment.
Also, for the original article's point: the difficulty of cracking passwords goes up nominally as the exponent of the password length, the complexity of verifying them or encrypting with keys goes up linearly or maybe as N*logN with the length of the key. Selecting a long enough password, and system keys, to defeat this kind of brute force cracking is quite trivial to do. But getting it adopted, especially in the face of federal policies that prohibit the export of encryption technologies as a "material of war", has crippled encryption techniques for years.
Get the federal government out of that line of regulation and hardware based encryption to protect your logins from man-in-the-middle password sniffing will be quite cheap, even possible to incorporate as a part of common motherboards and network cards. Until then, though, we're going to have a real risk of people using the same password for years and having it sniffed and used by crackers.
Re:What about /etc/shadow? (Score:3, Informative)
This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you can cut off someone that's trying to brute force (ie, wrong password 3 times in a row). Then your length isn't going to matter as much.
You could also go farther, and 'silently' lock them out - no matter what happens, it won't accept the password. Meanwhile, your IDS flags a security event and someone can respond, perhaps while they're still connected.
Re:Something you know, you have, and you are (Score:3, Informative)
Did you perhaps mean Bruce Schneier [schneier.com]? He would be more relevant to security than Bruce Perens [perens.com] is.
Re:Just do what I do (Score:5, Informative)
A study on passwords... (Score:2, Informative)
I found it interesting that passphrases are just as secure as random passwords, and as easy to remember as dictionary based passwords.
A 10 character passphrase based password is very hard to brute force.
Re:Biometrics (Score:3, Informative)
No need for that. I saw a presentation at AsiaCrypt a couple of years ago where a guy sucessfully managed to create an artificial fingerprint good enough to fool pretty much all the commercial fingerprint scanners tested using only a fingerprint left begind on a glass, and pretty much commodity hardware (he did use one somewhat obscure device but that was still only a couple thousand dollars). This wasn't spy movie crap - this was an actual research project. Current fingerprint scanners are, quite simply, complete crap.
Jedidiah.
Re:Just do what I do (Score:5, Informative)
Stastically, that is false for a one time event. If someone today is trying to break your 14 character password, it doesn't matter when you changed it.
And vacation? I check my servers every day on vacation. Only takes a few minutes to ssh in. Yes, its vacation, but I would rather check the logs for 5 minutes a day, than spend 7 days recovering from a fatal problem that might have been averted.
Re:Just do what I do (Score:3, Informative)
I was with you until the bold bit.
If you're allowed to change the number after the guess, then sure - it's impossible to guess. Otherwise if you've only allowed to change it between guesses, then the fact that I guess 517 right after you chose it means I win - regardless of how long it took to get there.
If you're considering a game where you have to say "higher" or "lower" - well, that doesn't map at all to the problem space here - all you get is "yes" or "no" from a login prompt.
Any algorithm which leaks partial correctness (e.g. measurably faster or slower response if you get the first letter correct) is going to break quickly anyway - just check out the SSH hacks based on the timing of typed letters to work out the length of a password and get a pretty good guess at the letters as well.
Re:Moores law needn't require longer passwords... (Score:2, Informative)
I could be wrong.
Password rotation script for NT domain (Score:2, Informative)
YOURDOMAIN = domain 'need to change this
user = InputBox("Enter username")
pass = InputBox("Enter password")
Set ns = GetObject("WinNT:")
Set usr = ns.OpenDSObject("WinNT://" & YOURDOMAIN & "/" & user & ",user", user, pass, ADS_SECURE_AUTHENTICATION)
usr.ChangePassword pass, "qazwsxedc1"
usr.ChangePassword "qazwsxedc1", "plmoknijb2"
usr.ChangePassword "plmoknijb2", "owidcjdcd3"
usr.ChangePassword "owidcjdcd3", "iojcdswdo4"
usr.ChangePassword "iojcdswdo4", "vownmdicm5"
usr.ChangePassword "vownmdicm5", pass
MsgBox("Password Changed (not really)")
Re:Just do what I do (Score:2, Informative)
Re:Just do what I do (Score:2, Informative)
At the company I work for, we often have highly sensitive (legal) data that we're forever scared shitless of contaminating some other entirely different data. Hence the boss insisted we have an enourmously complicated login structure, so that fi you're working on case X, it's impossible to even be aare that case Y exists.
Then the boss insits I give him an account with root level access to all the work because he says it takes too long switching between accounts.
Entire point of this whole exersize? Nothing.
Re:Just do what I do (Score:3, Informative)
APC masterswitches do that. Well, it locks you out after x attempts for x minutes.
It became a pain in the ass when some winner started trying to password scan one of the masterswitches. A machine went down, and everyone was locked out from it. They had just left the scanner running, so after the lockout time, it would get locked out again.
We moved them to a private network, and voila, everything works fine now.
People try to brute force so many various passwords, this seems like a really bad idea, unless your username is random also, and no one happens to know it. There's nothing like explaining to the boss that you couldn't hit a downed machine with the masterswitch because you were locked out, and it took 1 hour for someone to respond to the site just to reboot the machine.