Password policies
-
Upload
ari-elias-bachrach -
Category
Documents
-
view
116 -
download
0
Transcript of Password policies
Ari Elias-BachrachDefensium LLChttp://www.defensium.com
[email protected]@angelofsecurity
November 2012
Measuring Password Complexity
2
This talk discusses the problems with our current methods of measuring password strength and proposes alternatives.
What this can give us
A better alternative
What’s wrong with password complexity?
P@ssw0rd!
3
• 4 digits• 10 possibilities for each digit (0, 1, 2, 3, 4, 5, 6, 7, 8, 9)
We usually calculate password complexity based on the total number of possible passwords
1 2 3 4
410 = 10000
4
• 6 digits• 36 possibilities for each digit (0-9, A-Z)
We usually calculate password complexity based on the total number of possible passwords
A 1 2 3 4 B
636 =~ 1027
5
We usually calculate password complexity based on the total number of possible passwords
636 =~ 1027
• Assuming X attempts per minute
• Calculate expected time to check all
passwords
• Mean time for a single password
• Time to exhaust entire space
6
This only works if people are computersNote: people are not computers
Password
Letmein
Voldemort
5ga9n2kfb
b29cmna0
9h8g2bgun
Password
Password
#
#
7
Human nature defeats complexity
# of occurrences
Passwords, sorted by commonality
password
bdsjgganqvoldemort
password1
bdsjgganq1voldemort1
8
How wrong are our assumptions?
10 codes = 1/1000th of total passwordsTop 10 codes =~ 15% of all passcodes in use
9
We need a new way of measuring complexity
# of occurrences
Passwords, sorted by commonality
Nth Password
password
H6#a*b7Ke
10
We need a new way of measuring complexity
# of occurrences
Passwords, sorted by commonality
Nth Password
password
H6#a*b7Ke
11
What’s needed now: analysis of password policies
# of occurrences
Passwords, sorted by commonality
Policy 1
Policy 2
Policy 3
12
What’s needed now: analysis of password policies
1. Get password dumps
2. Crack them ALL (if hashed)
3. Run through previous metric
4. Correlate with applied policy
13
We can actually quantify the risk of a given password policy!
What this gives us: the ability to quantify password policies
Which is better:Which is better:
Insisting on use of numbers
Insisting on the use of special characters
14
We can actually quantify the risk of a given password policy!
What this gives us: the ability to quantify password policies
Which is better:
6 characters, must use 1 number and 1 letter
8 characters
15 Questions?
Quantify the strength of a password policy
Compare policies
State with some confidence how many weak passwords people will generate with any given policy
In summary, a true measure of password policy complexity will allow us to make informed decisions on password policies
HUGE, when talking to business people
16
About me
Ari Elias-BachrachDefensium LLChttp://www.defensium.com
[email protected]@angelofsecurity