AD and enforced password policies

Jimmy Hess mysidia at gmail.com
Mon Jan 2 22:34:45 CST 2012


On Mon, Jan 2, 2012 at 8:16 PM, Steven Bellovin <smb at cs.columbia.edu> wrote:

> On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote:
> OK -- let's let the set of punctuation be .,; and allow seven choices for
> where
> it goes.  That increases the work factor by 21 -- still not that large a
> space
> for someone with a good botnet.


Should an attacker get to the point of being able to mount a brute force
attack, with only character class and length requirements, that means they
have basically already won the battle for basic user level access  ---
user passwords do not have cryptographic strength,
he chance that some passwords are guessed is so high,  that you can
legitimately treat the probability that no passwords are discovered by an
informed attack is a 0% chance.

Assuming you have a policy of account lockout after multiple attempts;  the
fact they a brute force attack can be mounted,  indicates implementation of
your account lockout policy failed,  or the attacker stole the password
hashes.

If you have LANMAN hashes enabled or your passwords hashed with MD5
instead of PBKDF2 with 10000 or more rounds;   the attacker has the keys to
the kingdom,  they are almost certain to guess some passwords very quickly.

 Not all passwords are equally likely to be chosen by a human given the
task of setting their password.

How some luser is going to respond to password complexity:   pick a name or
standard dictionary word,  make the first letter capital,  append a single
digit or some well known number (such as the current year, a birthdate,
anniversary, address, SSN, or other known quantity),   add a  period or !
to the end,  to meet the punctuation mark requirement.

Eminently guessable by methods other than brute force.    It doesn't matter
that  10 different punctuation marks are actually available to  the user
---  human chosen passwords have low entropy,   you can anticipate the
average human has higher chance of picking certain punctuation  marks than
others,  based on where they are located on the keyboard,
and the user's level of familiarity with the punctuation mark.

~ and  _ may be valid choices;  but the average  english speaker is more
familiar with
! .  ,  ' ;  & +  -


--
-JH


More information about the NANOG mailing list