Re: US Military bans HTML in emails

AEF wrote:
Arne Vajhøj wrote:
AEF wrote:
Arne Vajhøj wrote:
AEF wrote:
Arne Vajhøj wrote:
Now the MIS departments has tightened security.
You mean like requiring 6-character passwords to now be "complex"?
Yeah, that'll stop 'em!!! ;-)

OK, maybe they're actually doing some more useful things.
More as in:
min 8 characters
min 1 uppercase
min 1 lowercase
min 1 digit
min 1 punctuation

Or as in email scanners that removes all EXE, BAT etc. from
attached ZIP files in inbound email.

It turns out that you get a lot more bang for the buck by requiring
longer passwords. Complex passwords are not that much harder to
crack.

Since you have already demonstrated that you do not have a clue about
what is happening security wise, then there are no need for you to
try and explain about anything security related.

Arne

Well, it would be helpful if you could be a little more specific. And
did you check the Info World article I posted a link to?

Anyway, here are the numbers I promised earlier.

Consider a password with a choice of X different characters for each
position and a length of L. The total number of possible passwords is
then X**L. If anyone wants, I'll be happy to derive this formula.

Now, assume X=26 and L=6. I'd guess that this is the set most users
choose from when confronted with a 6-char-minimum password. Then,

26**6 = 308,915,776 ~= 309e+06 ! where e+nn is the usual 10**nn
factor

Let's say we make it complex by doubling the number of characters to
52. That's adding 26 characters to X:

52**6 = 19,770,609,664 ~= 19.8e+9

Pretty good! That's 2**6 = 64 times as many paswords. Now what happens
if we add 26 characters to L instead?

26**(6+26) = 26**32 ~= 1.90e+45

This number is fantastically larger than the number of atoms, or even
subatomic particles (electrons, protons, and neutrons) in the computer
itself. Good luck cracking this one!

OK, what if we extend the length only to 12:

26**12 ~= 95.4e+15

This is still a very much larger number than 52**6. Let's try 10:

26**10 = 141e+12

Since 52**6 = 19770609664 ~= 19.8e+09, the complex password still
comes up short.

What about L = 8?

26**8 = 208,827,064,576 ~= 209e+09

which is STILL about 10 times more than the complex case of 52**6.

What if we add numbers to the mix for the complex password, making X =
62?

62**6 ~= 56.8e+09

Now we're still short. But even this assumes that the complex
passwords will be drawn randomly from the character set, which is
highly unlikely. The uppercase letter will most likely be in position
1 whilst the numeral will likely be in position 6. This actually
gives fewer possible passwords than a non-complex password of the
same size!!!

(26**5*10<26**6)

Add punctuation? Most will use only hyphens, commas, and periods I
would guess, and use only one of them for only one position within the
character string. Not much help.

Let's add all 32 puncutation characters:

94**6 ~= 690e+09

Finally we've outdone 26**L, but only by a factor of about 3, and we
had to nearly quarduple the allowed number of characters to do it! It
takes using (a RANDOM MIX of) all upper- and lowercase letters, all
numerals, and all puncutation marks in a 6-char password to finally
beat a simple 8-char password with X equal to only 26. And this is
assuming each character in the complex password is drawn randomly from
the entire set, and as I've already mentioned, that's highly unlikely.
And the criterion of a minimum of one char from each of the four
character sets certainly doesn't guarantee much of a move toward using
characters chosen randomly from the full set. How many people are
going to put in a reasonably well mixed combination of braces,
backquotes, tildes, and such; numerals; and uppercase letters? Very
few I'd bet.

A nine-character simple password:

26**9 = 5.43e12

easily beating the 94**6 number by adding only one position.

I can see only two advantages of complex passwords: 1) If you are
using an O/S or app whose passwords are limited to 8 characters in
length, and 2) elimination of passwords like dddddd, 123123, and
such. But for reasonably chosen passwords, going from L=6 to L=8
beats even the most randomly chosen complex passwords drawn from
upper- and lowercase letters and numbers. I think it would be best to
use longer passwords and to check for stupid things like ddddddddddd
and 123123123123, and such (and password history and dictionaries).
If you're running your business on a Web site, and a customer has a
choice between 8-character simple passwords and 6-character complex
passwords, I bet the customer would go with the former. Also, the
trick of using 0's for O's and 3's for E's is probably checked for in
password crackers and would be with little extra toil, at least
relative to longer, well-chosen simple passwords.

A possible disadvantage of complex passwords, at least according to an
old post I dug up a few months back, is that they stand out in
sniffer data whereas simple passwords are virtually indistinguishable
from the rest. I don't know how important or even valid this claim
is, though, as I'm reporting it second hand.

If you want to increase the number of possible passwords, increasing L
gives you a lot more bang for the buck than increasing X.

AEF

Yeah, I knew that. :)

Actually, I have a few passwords that I vary slightly - all of them 9 bytes
a..z + 0..9 or more - only some systems have a max of 8, but I digress.
None of them have special characters, because I change to different language
keyboards and often some characters are hard to get (read missing).

Length matters :)

Dr Dweeb.


.

Relevant Pages

  • Re: US Military bans HTML in emails
    ... Complex passwords are not that much harder to crack. ... Consider a password with a choice of X different characters for each ... takes using all upper- and lowercase letters, ...
    (comp.os.vms)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... Complex passwords are not that much harder to crack. ... Most characters will be lowercase. ... What hacker ever think of that? ...
    (comp.os.vms)
  • Re: US Military bans HTML in emails
    ... You mean like requiring 6-character passwords to now be "complex"? ... Complex passwords are not that much harder to crack. ... Most characters will be lowercase. ... What hacker ever think of that? ...
    (comp.os.vms)
  • RE: Basic question
    ... If somebody else hasn't covered it already, I'll try to send out a Kerberos ... > Unicode character set and can be up to 128 characters long, ... > Pre-W2K user interfaces limits do not allow passwords to ... I believe that you are referring to *LM* hashes. ...
    (Focus-Microsoft)
  • Re: Paper & pencil password algorithm
    ... generator and generate a password as a permutation of a whole ... The advantage of a random sequence generator is that I can make my ... I can't imagine ever wanting passwords ... convenience I'll probably keep most of them between 20 and 50 characters ...
    (sci.crypt)