BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] password strength

Subject: [Discuss] password strength
From: blu at nedharvey.com (Edward Ned Harvey (blu))
Date: Mon, 29 Jul 2013 12:31:04 +0000
In-reply-to: <51F5E482.6010305@gmail.com>
References: <51F5E482.6010305@gmail.com>

There are two use cases for passwords: online and offline.

Some online services are dumb. I'm going to skip over them and talk for a second about online services with strong policies - no more than 5 failed attempts in 5 minutes, resulting in lockout for repetitive durations of 10 minutes thereafter. The weakness here is the DoS attack, but on Active Directory and Exchange, my experience has been that they identify the source of the attack and don't deny service to the legitimate clients. There are lots of techniques that go into making that all work correctly, but the point is, it can be done, and it's well and thoroughly vetted and standardized. Shrink wrapped and productized.

If you have a good online service, then fairly weak passwords are good enough. By rate-limiting attacks to 1 per minute, a 25 bit password can withstand 30 years of attack with 50% success, and it will take 60 years before a guaranteed breach. Attacking for 6 months will have less than 1% breach. Admins can scale these numbers linearly by adjusting the lockout period. But it's very difficult to get users to use more entropy in their passwords.

Offline attacks are much tougher to defend, because you have no way of rate limiting the attacker. Your only defense is to stretch a LOT, and combine with really strong passwords. In KeePass, the 1 second stretch involves 10million iterations of SHA256 on a typical PC. If your only defense is a 1 second stretch per CPU core, then you need 35 bit password to keep 60 month attack success below 1% with a 16 core system. To me, that's not nearly good enough. I want the probability of breaching my offline password safe to be on-par with ligntning strike. 1 in a million or so, over 6 months. This requires 48 bits.

48 bits is reasonable to memorize, but not reasonable to demand somebody else to memorize. For example:

worse-attention-flat-madden (4 words, 44 bits effective entropy)
75EF4A4990 (10 hex chars, 40 bits effective entropy)
QgqAqLpu8y (10 non-ambiguous chars, 58 bits effective entropy)
6201859243 (10 numeric chars, 33 bits effective entropy)
WgX7jRCqrh (10 alphanumeric chars, 59 bits effective entropy)
kgu-150-KQJ-hnb (9 alpha, 3 numeric, 52 bits effective entropy)

Follow-Ups:
- [Discuss] password strength
  - From: kentborg at borg.org (Kent Borg)

References:
- [Discuss] password strength
  - From: tmetro+blu at gmail.com (Tom Metro)

Prev by Date: [Discuss] Are there any SSL certificate authorities that don't cost a king's ransom?
Next by Date: [Discuss] Are there any SSL certificate authorities that don't cost a king's ransom?
Previous by thread: [Discuss] password strength
Next by thread: [Discuss] password strength
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org