Re: Secure password explanation?

Subject: Re: Secure password explanation?
From: jimmy -at- breck-mckye -dot- com
To: <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Mon, 18 Jun 2012 17:57:53 +0100

Firstly, someone's inevitably going to post this link, so let's get it out of the way: http://xkcd.com/936/

Secondly: there isn't any advantage as far as I can see. Ridiculous password rules encourage security-naive behaviours like writing passwords down, or iterating through allowed variants on a single password. And because double-characters are banned, it's also easier for an attacker to brute-force reverse a set of stolen hashes (you ARE storing passwords as salted hashes, right?).

On 2012-06-18 17:04, McLauchlan, Kevin wrote:

Certain database apps from a certain big company (no names, but it's
initial is O), that I sometimes need to use, set a bunch of rather
stringent conditions on new passwords, including a ban on double
characters - so no words with double vowels or double consonants, and
no repeated digits or punctuation. It's a real pain, given that the
apps also force password changes every 60 days.

This is actually more severe than the password best practice that I
currently recommend in my customer docs (we're a cryptographic
hardware and software company...).

Naturally, I'd like to keep up with the times and with valid security
procedures. But I just haven't been able to discover what security
advantage is conferred by avoiding double letters, double numbers, or
double punctuation. Does anybody know?

When I suggest a practice or restriction, I like to be able to back
it up with a quick explanation, so it doesn't look totally arbitrary.
I've drawn a blank trying to imagine what advantage an attacker gains
if a (say) 20-character password were to include a pair of identical
characters. Yes, it's true that the subset of all words having two
identical characters side-by-side is smaller than the set of all
words, but there's no way to know that it's a word, and if it is,
where it starts or ends within the string. It could as easily be the
last character in one random word followed by the first character in
another random word. It could be the letters that result from taking
the first letter of each word in a phrase. It could be a pair of
numbers in a larger number.

For that matter, forcing a no-doubles rule actually shrinks the
available string space and makes it non-random. Most crypto apps want
greater entropy in seeds and inputs, not less.

A casual query to a security architect garnered a head-scratch and a
reply of "You've got me there...".

Someone else - of a cynical mind - suggested that the O requirement
was "probably just optics" ... trying to impress the uninformed with a
bogus stringency that conveyed no actual advantage in security.

Anybody?

-k




The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create and publish documentation through multiple channels with
Doc-To-Help. Choose your authoring formats and get any output you may
need.

Try Doc-To-Help, now with MS SharePoint integration, free for 30-days.

http://bit.ly/doc-to-help

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You are currently subscribed to TECHWR-L as jimmy -at- breck-mckye -dot- com -dot-
To unsubscribe send a blank email to
techwr-l-leave -at- lists -dot- techwr-l -dot- com


Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit
http://www.techwhirl.com/email-discussion-groups/ for more resources
and info.

Looking for articles on Technical Communications? Head over to our
online magazine at http://techwhirl.com

Looking for the archived Techwr-l email discussions? Search our
public email archives @ http://techwr-l.com/archives

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create and publish documentation through multiple channels with Doc-To-Help. Choose your authoring formats and get any output you may need.

Try Doc-To-Help, now with MS SharePoint integration, free for 30-days.

http://bit.ly/doc-to-help

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You are currently subscribed to TECHWR-L as archive -at- web -dot- techwr-l -dot- com -dot-
To unsubscribe send a blank email to
techwr-l-leave -at- lists -dot- techwr-l -dot- com


Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit
http://www.techwhirl.com/email-discussion-groups/ for more resources and info.

Looking for articles on Technical Communications? Head over to our online magazine at http://techwhirl.com

Looking for the archived Techwr-l email discussions? Search our public email archives @ http://techwr-l.com/archives


References:
Secure password explanation?: From: McLauchlan, Kevin

Previous by Author: Re: Designing online help - book suggestions?
Next by Author: Re: TOOLS: free, safe virtualizer?
Previous by Thread: RE: Secure password explanation?
Next by Thread: Re: Secure password explanation?


What this post helpful? Share it with friends and colleagues:


Sponsored Ads