[WEB SECURITY] Passwords : include a space

Stephan Wehner stephanwehner at gmail.com
Mon Jan 28 17:12:41 EST 2008


On Jan 28, 2008 1:52 PM, Martin O'Neal <martin.oneal at corsaire.com> wrote:
>
>
> > Here is a simple way to increase password security with
> > respect to dictionary attacks:
>
> > * Passwords must contain at least one space character
> > * When the user chooses a new password, tell them they
> > should enter at least two words, separated by a space.
>
> A dictionary-space-dictionary combination is only an order of magnitude
> better than a dictionary password alone though.  If your vocabulary is
> 30,000 words, then when being brute-forced on a contemporary processor,
> your dictionary word will be discovered in less than a second, and the
> dictionary-space-dictionary password will fall out in less than three
> minutes.

It does depend on the hash function, doesn't it?

If you can only do 1000 hash computations per second, the number comes to

  possible-combinations / 1000 seconds = (30,000 * 30,000 / 2)  / 1000
seconds = 900,000 / 2  seconds ->  5 days.

bcrypt uses expensive hash computations
(http://www.usenix.org/events/usenix99/provos.html)

>
> In comparison, a non-dictionary 8 character password containing only
> upper & lower alpha and numeric's will take 600 days on the same
> processor.

How to get users to come up and remember such passwords?? If you say
"include a digit" , they just append 1 - password1 or  1234 - pwd1234
and so on.

Stephan


> Predictable formats and passwords are not happy bed fellows.
>
> Martin...
>
>
>
>
>
>
>
>
>
>
>
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, registered in England No. 3338312. Registered
> office: Portland House, Park Street, Bagshot, Surrey GU19 5PG.
> Telephone: +44 (0)1483-226000
>
>
>



-- 
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list