| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Jul 2006 20:27:33 -0400 From: "Roger A. Grimes" <roger@...neretcs.com> To: <michaelslists@...il.com> Cc: <bugtraq@...urityfocus.com> Subject: RE: $100 plus several of my books if you can crack my Windows password hashes. I'm saying if faced with increasing the strength of my passwords, I value length over complexity. Case in point, a large city I consult for said they are moving their passwords from 5 character minimum to 8 characters and complex. (yeah, I had to stop coughing too...but 5 character minimums aren't that rare in very large environments). I argued all day long that they should go to 12+ characters and forget the complexity. Mathematically and practically, I know I'm right, but the world is all about complexity and less about length despite overwhelming evidence to the contrary that length is better overall. For instance, I was creating a login account for my stock holdings today, and password requirements were six character minimum with 3 of 4 types of character complexity (normal for most complexity requirements). So even though my passphrase of idratherbetakingpicturesofsharks is much harder to crack, it will not be allowed. I have to choose a weaker, harder to remember, password to meet their password complexity requirements...and to tell you the truth, I'm sick of it. So, I'm making my wake up call. Do the math, do the cracking, length is a better defender than complexity. Even when people are required to go complex, their complexity is pathetically predictable (32 characters cover 80% of all users), defeating the whole purpose for the complexity, no many how many characters can be used. So require increased length instead, forget complexity, and enjoy stronger protection. Then all you have to do is convince your users not to give away their password to a complete stranger for a $2 chocolate bar. -----Original Message----- From: mikeiscool [mailto:michaelslists@...il.com] Sent: Tuesday, July 18, 2006 8:04 PM To: Roger A. Grimes Cc: bugtraq@...urityfocus.com Subject: Re: $100 plus several of my books if you can crack my Windows password hashes. wtf? this is just spam. length vs complexity is a simple problem. mathmetically length is definately better, it increases the exponent. this doesn't mean 'forget complexity' though. -- mic On 7/18/06, Roger A. Grimes <roger@...neretcs.com> wrote: > > I've been participating in an online thread discussing password > complexity versus length. I say forget complexity and go for length. > Many others feel complexity is the way to go. So to put my money where > my mouth is, I'm sponsoring a contest: > > CHALLENGES: > Let's do a test, with three challenges: > > Challenge #1 (Complexity at 10 characters) for the first person to > email me the plaintext equivalent to the following NT hashes: > > Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04 > > Clues Normal Password Cracker Would Not Have: > 1. It's 10 characters long exactly > 2. Contains no words contained in the English dictionary, but is based > upon two words that have been "license-plated" (i.e. hybrid attack is > needed) 3. Moderate complexity, but nothing beyond alpha letters and > numbers. > > Prize for Challenge #1: > 1. Your name in my InfoWorld column > 2. A free copy of my book, Honeypots for Windows (Apress, 2005) > --- > > Challenge #2 (15 characters long, no complexity) for the first person > to email me the plaintext equivalent to: > > Harder Challenge: 7B1FC86A9CD8955963E3930C42F4226F > > Clues Normal Password Cracker Would Not Have: > 1. It's exactly fifteen characters long 2. Contains one or more words > contained in the English dictionary 3. > Absolutely no complexity. > > Prize for Challenge #2 for the first person to email me the plaintext > equivalent 1. Your name in my InfoWorld column 2. A free copy of my > latest book, Professional Windows Desktop and Server Hardening (WROX, > 2006) > --- > > Challenge #3 (15 characters or longer, some complexity) for the first > person to email me the plaintext equivalent to: > Hardest Challenge: 4475BCB3B66320BF289D5475C7016A81 > > Clues Normal Password Cracker Would Not Have: > 1. It's fifteen characters or longer > 2. Contains one or more words contained in the English dictionary 3. > Some minor complexity. > > Prize for Challenge #3 for the first person to email me the plaintext > equivalent 1. Your name in my InfoWorld column 2. $100 out of my > pocket (my wife is going to love me) 3. A free copy of my latest book, > Professional Windows Desktop and Server Hardening (WROX, > 2006) > 4. A free copy of my next sole author book, Windows Vista Security: > Preventing Malicious Attacks (Wiley, 2007), when it comes out. > (or you can substitute any of these books for my latest co-author > book, MCSE Core Electives in a Nutshell (O'Reilly, late 2006) when it > comes out. > > ------ > Rules: > 1. I solely determine winners and all rules 2. You can only claim one > challenge prize. Send me the passwords if you break them, but if you > win both challenges #1 and #2, I'll give you all the prizes listed in > #2, but I'll give prizes in #1 to the next closest winner. > > All password hashes can easily be cracked with the right tool and > dictionary. I expect the first challenge to be cracked first. I > suspect all three can be cracked. In the real world, the attacker > would not be given the clues I have given. But I want readers to > understand how hard this would be to do even if you had all the clues > a real cracker would need to begin the attack. > > This is proof of concept of password length over complexity. If > someone breaks Challenges #2 or #3 before #1, I'll know I'm wrong. > > Have fun and enjoy. > > Roger > > ******************************************************************* > *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP, > MCSE: Security (2000/2003/MVP), CEH, yada...yada... > *email: roger@...neretcs.com > *Author of Professional Windows Desktop and Server Hardening (Wrox) > *http://www.amazon.com/gp/product/0764599909 > ******************************************************************* > >
Powered by blists - more mailing lists