Re: See what a weak password will get ya?

["Karsten M. Self" <karsten@linuxmafia.com>]

on Thu, Jul 22, 2004 at 07:24:01PM -0700, Scarletdown (gsutton9503@wavecable.com) wrote:
> Paul Stolp wrote:
> >I checked in on some bittorrent progress today at lunch, noticed my
> >I'm not sure the July 19 log snippet is related, but seems likely.
> >Anyways, I've re-downloaded the files the attacker used and removed (for
> >posterity.)
> >I changed all passwords, IP Address, I found the evidence at about
> >12:24.
> >Just wanted to share the need for strong passwords.
> 
> I second that recommendation.  I always prefer to have passwords with 
> the following features:
> 
> Minimum of 8 characters
> At least 1 capital letter
> At least 1 lower case letter
> At least 1 number
> At least 1 special character
> 
> An example of a good password (though since I'm posting it here, it can 
> no longer be considered good) is:
> 
> P@s$w0rD

My own preference is the 'pwgen' and 'gpw' utilities included in Debian,
combined with either the PalmOS "Keyring" utility or the vim "editing
encrypted files transparently" hack documented at:

    http://twiki.iwethey.org/Main/IwtNix


Sample pwgen output:

    Eive3viequ oos5eigooV aeR0ahwein ooNigh1oos Jui6hailel oMaex1ohve
    xah8shoJai Ahnaotach9 Paiphie9ph pah8ahcaeG Uapahph6ik taiYolu4os
    aiHahp7jae usheXeec7a Ucei9joong Eteefa6aeg Eethohqu2i neiBaeg4ai
    Eiri7eagee Pahceibie8 Yeg0iediev eigiji6Gie Ouduo7pahs ya1weuNapo

And for gpw:

    ulingain atailsel stedamen misavisi gasseder uarscroc rismener
    rectivac icadoura ishoonce

What may not be immediately apparent is that the generated passwords are
pronounceable in a rough sort of a way.  The generation algorithms are
tunable to greater randomnes or mnemonic qualities.  It's possible to
test quality by generating a known number of passwords, sorting and
generating a uniq list, and counting the resulting lines.  My findings
are that even the relatively mnemonic lists are of very high quality.
Best tests are on 1m or more paswords, but for a relatively short run of
100,000:

    $ time gpw 100000 10 | sort | uniq | wc -l
    99952

    real    0m9.968s
    user    0m9.730s
    sys     0m0.050s

    $ time pwgen 10 100000 | sort | uniq | wc -l
    99960

    real    1m1.252s
    user    0m13.550s
    sys     0m45.360s


That's 99.952% and 99.960% uniq, respectively, default settings,
ten-character keys.

The observent reader will note that the length and count arguments are
reversed for these utilities....  Remember this as you use them.


For an adult user population, I find that these keys are usually pretty
acceptable.

Working with children, I'm using longer keys by combining a set of
things.  Favorites is a good one, and typical keys run 10-15 characters.
Cryptanalysts will tell you that sticking to dictionary words reduces
the search space markedly, but in balance, it's a good compromise.  With
a user-base extending into the hundreds, only a handful of the youngest
routinely have problems logging in, and I know the keys are not likely
used elsewhere.

Druthers?  I'd echo Greg Folkert's recommendations for key-based
authentication, and use a fob-based password generator plus a PIN.
Something randomly generated, something you have, something you know.
Playing percentages, that's a pretty decent system.

Biometrics?  The shortage of replacement keys, and perverse incentives
to key aquisition (and resultant discomfort) makes me *exceptionally*
wary.  Color me dubious (and leave me my digits and irises).



Peace.

-- 
Karsten M. Self <karsten@linuxmafia.com>        http://linuxmafia.com/~karsten
    Ceterum censeo, Caldera delenda est.