Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: Re[2]: password aging

Re: Re[2]: password aging

Aleph One (aleph1dfw.net)
Wed, 2 Sep 1998 10:38:10 -0500 (CDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Firewalls: "New one: Securing an HTTP server"
Previous message: Adam Shostack: "Re: Reverse Proxying of FTP?"
In reply to: Firewalls: "Reverse Proxying of FTP?"
Next in thread: Ryan Russell: "Re: Re[2]: password aging"

On Wed, 2 Sep 1998 Steve.Bleazardwdr.com wrote:

> One alternative to password aging, is to force everyone to use a
> password generator. FIPS181 from the US government describes (and
> implements) such a generator. I have found the FIPS181 algorithm
> generates good pronouncable passwords. They are also far less
> susceptible to social engineering.
>
> Using password generators has many problems in itself, not least of
> which is the tendency for people to write the password down. However,
> if security demands good password aging and system wide password
> re-use detection, then the local policies can be enforced to deal with
> this and a generator is a viable alternative.

This reminds me of this little blurb that comes with the Crack programs.
From doc/fips181.txt:

  Federal Information Processing Standard 181 defines a standard for an
  automated password generator to be used in "all federal departments
  and agencies where there is a requirement for computer generated
  pronouncable passwords"... for passwords of between 5 and 8 characters
  long.

  Basically it's a generator which takes a good PRNG and a bunch of
  fixed syllables (composed from lowercase ascii letters) and uses the
  former to drive concatenation of the latter, producing at the business
  end a "pronouncable password".

  Reading FIPS181 (http://csrc.ncsl.nist.gov/fips/fips181.txt) one gets
  a good feel for the reduction in search space that this algorithm
  provides to the password cracker.

  Section 2.4 cites that the algorithm is capable of producing
  "approximately 18 million 6-character" passwords; compare this with
  the set of 309 million lowercase 6-character passwords, and we see
  that the lack of entropy in the output has reduced the search space to
  about 5% of it's original size.

  Interesting; from this basis we may pose the following student project:
  or values of N constrained by
  your resources.

  3) sort/uniq, dawg and gzip this dictionary and put it up on an
  Internet FTP site, posting an announcement of a new Crack dictionary
  containing all possible N-character plaintext federal passwords.

  4) Write an essay describing your experiences of consequent federal
  investigation, backbiting and paranoia.
  --
  To verify the feasibility of (3), the author can confirm that the
  highly redundant 2Gb dictionary of all possible 6-character lowercase
  passwords (newline separated) compresses to about 7Mb under dawg/gzip.
  YMMV.

As you can see using FIPS181 is a very bad idea.

> Steve

Aleph One / aleph1dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01

Next message: Firewalls: "New one: Securing an HTTP server"
Previous message: Adam Shostack: "Re: Reverse Proxying of FTP?"
In reply to: Firewalls: "Reverse Proxying of FTP?"
Next in thread: Ryan Russell: "Re: Re[2]: password aging"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT