Psychotec
May 3 2004, 09:04 AM
Making users comply with a password policy is difficult because users are free to choose their own passwords. Human nature dictates that users will prefer simple (easy to remember, guess and crack) passwords rather than strong passwords.
Passwords must be changed under any one of the following circumstances:- At least every 3 months.
- Immediately after giving your password to someone else.
- As soon as possible, but at least within one day after a password has been compromised or after you suspect that a password has been compromised.
- If your admin tells you todo so.
When selecting a password, i HIGHLY recommend you to follow the following guidelines, as they are VITAL to a good password:
- Passwords must contain at least eight nonblank characters.
- Passwords must contain a combination of letters (preferably a mixture of upper and lowercase letters), numbers, and at least one special character within the first seven positions.
- Passwords must contain a nonnumeric letter or symbol in the first and last positions.
- Passwords must not contain the user login name.
- Passwords must not include the user's own or (to the best of his or her knowledge) a close friend's or relative's name, employee number, Social Security number, birthdate, telephone number, or any information about him or her that the user believes could be readily learned or guessed.
- Passwords must not (to the best of the user's knowledge) include common words from an English dictionary or a dictionary of another language with which the user has familiarity.
- Passwords must not (to the best of the user's knowledge) contain commonly used proper names, including the name of any fictional character or place.
- Passwords must not contain any simple pattern of letters or numbers such as "qwertyxx".
An easy solution would be the following:
Create your favourite or any sentence that you will not forget, for example:
This is my new password policy that i have to understand So let us here take only the first letter of each word, then it will look something like this:
Now let us make it a bit more complex, by playing with uppercase letters aswell. In my example i will make every 2nd letter a capital letter.
Now add some numbers to it, again in my example i will just add the current year at the end.
Now add a few symbols to it, to make it even more secure.
| CODE |
T.i.M.n.P.p.T.i.H.t.U.2003.#
|
Now i wanna see someone crack or guess the above password, allthough its really easy to remember. Its nothing else than :
| CODE |
This . is . My . new . Password . policy . That . i . Have . to . Understand . 2003 . #
|
I might be over exagerating here with this example, of course its way more than 8 characters, but its really secure. A simple version would be :
I love pizza very very much
so it look something like:
Thats also a very safe password.
And never never ever give out your passwords, or even any clue on what it could be like.
There are many more ways to endorse secure password policies in general for higher security, such as one time passwords or other PAM modules which are available. But those my friends is another story
I hope this helps you to secure your access a bit more than it already might be.
Good luck to everyone.
cranky
May 3 2004, 03:24 PM
passwords should be a multiple of seven. if you do 9 the last 2 will be cracked easy and will probably give you a hint about what the other 7 might contain.
| QUOTE (cranky @ May 3 2004, 03:24 PM) |
| passwords should be a multiple of seven. if you do 9 the last 2 will be cracked easy and will probably give you a hint about what the other 7 might contain. |
thats only for lm passwords but isnt it?
bonarez
May 3 2004, 03:42 PM
.
| QUOTE |
| passwords should be a multiple of seven. if you do 9 the last 2 will be cracked easy and will probably give you a hint about what the other 7 might contain. |
I thougt it was the other way around.. (at least if you're speaking about lm hashes, whitch I assume because of the 7-digit break-up)
the pw I've tested revealed that the last 7 digit's were in the back, the rest in the first 'block'. In the case the pw is shorter then 8 digits the pw is in the first half of the hash. the second part will then allways be AAD3B435B51404EE. best way in case of the lm hashes is not to make it longer, just because of the 7-digit breakup. the best way would be to include 'special chars' like ç é è µ $ £. the more different special chars you got the better..
omol
May 4 2004, 02:26 PM
Most password crackers and other software don't deal with such charictures
as æX¼«╚ÄA
im gunna sit down and make some encoding program for my passwords what a gd idea
omol
jacco
May 4 2004, 06:17 PM
Calculation example password policy
"Protect your password protected (serverside)applications against bruteforce attacks"
a to z - 26 options a digit
A to Z - 26 options a digit
0 to 9 - 10 options a digit
all chars - 256 options a digit
if you force a user to make his/her password 5 digits long and you only allow a to z chars, there are 26^5 = 11881376 posible passwords for the user to pick
if you force a user to make his/her password 5 digits long and you only allow a to z and 0 to 9 , there are 36^5 = 2821109907456 posible passwords for the user to pick
if you force a user to make his/her password 8 digits long and you only allow a to z and 0 to 9 , there are 36^8 = 18446744073709551616 posible passwords for the user to pick
if you let a user pick a password from 1 to 5 digits long and you only allow a to z chars, there are 26^1+26^2+26^3+26^4+26^5 = 12356630 posible passwords for the user to pick
if you force a user to make his/her password 5 digits long and you only allow a to z chars and you delay for 1 second after every logon it wil take a cracker ((26^5))/60)/60 = 3301 houres try every posible password.
if you force a user to make his/her password 5 digits long and you only allow a to z chars and you delay for 1 second after every logon and force the user to change his password every 1649 houre a cracker will have a chance of (1/(((26^5))/60)/60)/1649) )*100%= (1/2) *100% = 50% that he cracks it within 3301 houres.
Another good working password rules is:
disable user account after 10 false logons
But this one will give you some work if you are being bruteforced, cuz you have to enable the account again
Greatingz Jacco
