AD and enforced password policies
Steven Bellovin
smb at cs.columbia.edu
Tue Jan 3 01:45:29 UTC 2012
On Jan 2, 2012, at 7:05 PM, Gary Buhrmaster wrote:
> On Mon, Jan 2, 2012 at 22:32, Jimmy Hess <mysidia at gmail.com> wrote:
> ....
>> The sole root cause for "easily guessable passwords" is not lack of
>> technical restrictions. It's also: lazy or limited memory humans who need
>> passwords that they can remember.
>>
>> Firstname1234! is very easy to guess, and meets complexity and usual
>> length requirements.
>
> Obligatory xkcd reference: http://xkcd.com/936/
>
Thanks; you saved me the trouble.
There's a discussion of the topic going on right now on a cryptography mailing
list; check out http://lists.randombit.net/mailman/listinfo/cryptography if you want.
Also see my (mostly tongue in cheek) blog post at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-27.html
and the very serious followup at https://www.cs.columbia.edu/~smb/blog/2011-12/2011-12-28.html
I should add that except for targeted attacks, strong passwords are greatly
overrated; neither phishing attacks nor keystroke loggers care how good your
password is.
I just went through some calculations for a (government) site that has the
following rules:
Minimum Length : 8
Maximum Length : 12
Maximum Repeated Characters : 2
Minimum Alphabetic Characters Required : 1
Minimum Numeric Characters Required : 1
Starts with a Numeric Character
No User Name
No past passwords
At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`!
Under the plausible assumption that very many people will start with a string
of digits, continue with a string of lower-case letters to reach seven characters,
and then add a period, there are only ~5,000,000,000 choices. That's not many at
all -- but the rules look just fine...
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list