ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Password Complexity, Good or bad?

    IT Discussion
    12
    202
    37.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BRRABillB
      BRRABill @Dashrender
      last edited by

      @Dashrender said:

      Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

      Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.

      DashrenderD 1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        Now, if you are randomly generating passwords with no hope or attempt to remember them... then go for super long, super random, huge character set. Give it as much variation and randomness as the computations can muster. Any shared password that we use we make super long and fully random and you force it to be copy/pasted which is necessary in a shared password situation. In that case, though, we actively want to discourage memorization as well.

        1 Reply Last reply Reply Quote 1
        • JaredBuschJ
          JaredBusch @scottalanmiller
          last edited by

          @scottalanmiller said:

          @Dashrender said:

          @larsen161
          I won't speak for JB, but for me - it's all around cost.

          But you can do that for free.

          How? How can you do 2FA for free in an office scenario?

          Something you know and something you have.

          The something you know is the password.

          The something you have is the part that costs money. It is not free.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • DashrenderD
            Dashrender @BRRABill
            last edited by

            @BRRABill said:

            @Dashrender said:

            Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

            Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.

            Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,

            scottalanmillerS 1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @JaredBusch
              last edited by

              @JaredBusch said:

              The something you have is the part that costs money. It is not free.

              The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.

              Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.

              JaredBuschJ 1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller @Dashrender
                last edited by

                @Dashrender said:

                @BRRABill said:

                @Dashrender said:

                Well, the though there is that you then force the hacker to go through the special set as well. but as Scott said, if you want to not worry about that.. just use 16+ passwords and you're really fine, even if you broadcast the fact that you've shrank the character set by the specials (which would just be stupid - but hey).

                Right, so once you have forced them to use the special set, using special characters doesn't in theory really matter.

                Sure it does - well - sorta... the belief is that users will still use alpha and special characters, making the character set at least 42 characters long, toss in upper, makes it 68 character set, toss in numbers, you're at 78,

                Or that they MIGHT use, that's all that matters. Given that set, sure, some user might go nuts and ONLY use special characters in a pretty small set - but the smaller set is only useful to a hacker that knows what the smaller set is.

                In reality, knowing a smaller set is the same as knowing the password. Think of it this way...

                You have a one char password, the hacker knows your set, the set size, by definition, can only be one char, so knowing the set and knowing the password are the exact same thing in that case.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  Did that make sense?

                  Look at this....

                  AuAAu3dd7T55uA

                  How big is the set?

                  The set size is seven. Just seven.

                  AdTu357... that's the entire set.

                  DashrenderD 1 Reply Last reply Reply Quote 0
                  • BRRABillB
                    BRRABill
                    last edited by

                    My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.

                    Right?

                    scottalanmillerS travisdh1T 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @BRRABill
                      last edited by

                      @BRRABill said:

                      My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.

                      Right?

                      Correct, a hacker is stuck attempting basically the full set, all the time unless they can social engineer you down to a subset, which is possible but hard to do and requires both a social AND a technical hacking attempt.

                      1 Reply Last reply Reply Quote 1
                      • travisdh1T
                        travisdh1 @BRRABill
                        last edited by

                        @BRRABill said:

                        My point is that running under the assumption a hacker would need to try ALL the set (unless the KNEW what your set was) there's no difference between any of the characters.

                        Right?

                        Doing brute force attacks does happen, but it's almost always that last thing they would try today. For example: If you have the hashed passwords, many faster options are available. It's assumed that if you have the list of hashed passwords that you'll also know what algorithm(s) were used to create the hashes. Which allows them to create a list of hashes from known common passwords. All they have to do is compare the two lists of hashes and any matches mean that they then know the password.

                        I know many people just won't "grok" the next concept. Forcing the use of special characters (!@#$%^&*) often times makes "guessing" a password even faster than not forcing their use. For example, replacing the letter s with $. The fact that the hacker knows that use of special characters is a must, it reduces the number of possible passwords drastically, VERY drastically!

                        1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          Did that make sense?

                          Look at this....

                          AuAAu3dd7T55uA

                          How big is the set?

                          The set size is seven. Just seven.

                          AdTu357... that's the entire set.

                          yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Dashrender
                            last edited by

                            @Dashrender said:

                            @scottalanmiller said:

                            Did that make sense?

                            Look at this....

                            AuAAu3dd7T55uA

                            How big is the set?

                            The set size is seven. Just seven.

                            AdTu357... that's the entire set.

                            yeah the actual set size is 7, but for a hacker knowing only that you used upper/lower/numbers, the set size is 62

                            That's my point... if the hacker knows the set size, they have you. If they don't, it's a big set. We use these weird thing of "if we only use lower case, our set size is X" but it isn't, the set size is much smaller. The full set of ANY password is really small. That's what people miss... all set sizes are small, knowing what the set size is is part of knowing the password.

                            1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender
                              last edited by

                              if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.

                              travisdh1T scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • JaredBuschJ
                                JaredBusch @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.

                                How do you use SSH Keys to log into your windows desktop?

                                @scottalanmiller said:

                                Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.

                                You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?

                                DashrenderD scottalanmillerS 2 Replies Last reply Reply Quote 0
                                • travisdh1T
                                  travisdh1 @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.

                                  Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.

                                  DashrenderD 1 Reply Last reply Reply Quote 2
                                  • DashrenderD
                                    Dashrender @JaredBusch
                                    last edited by

                                    @JaredBusch said:

                                    @scottalanmiller said:

                                    The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.

                                    How do you use SSH Keys to log into your windows desktop?

                                    Scott did mention that his 2FA was all after desktop logon.

                                    @scottalanmiller said:

                                    Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.

                                    You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?

                                    Personally, I don't have an issue with this. You want to work here, you must have a device that's able to run this 2FA software. At the time of hire we can negotiate if needed around any compensation - but frankly I think those days are past. When I have employees demanding that I provide free WiFi for them so they can watch their home video camera system to watch their dog or kids get home from school - I think I can put some demands back on them...

                                    JaredBuschJ 1 Reply Last reply Reply Quote 1
                                    • JaredBuschJ
                                      JaredBusch @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      @JaredBusch said:

                                      @scottalanmiller said:

                                      The thing that you have can be a file. SSH Keys + Passphareses are two factor and are completely free (in the same way knowing your password is free, without getting into the "nothing is free" theories.) There is no money spent in that way.

                                      How do you use SSH Keys to log into your windows desktop?

                                      Scott did mention that his 2FA was all after desktop logon.

                                      @scottalanmiller said:

                                      Google Authenticator is free, based on the assumption that the devices like phones and such already exist. If you assume that users have no computers, have no phones, etc. then yes, you would need to provide something.

                                      You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?

                                      Personally, I don't have an issue with this. You want to work here, you must have a device that's able to run this 2FA software. At the time of hire we can negotiate if needed around any compensation - but frankly I think those days are past. When I have employees demanding that I provide free WiFi for them so they can watch their home video camera system to watch their dog or kids get home from school - I think I can put some demands back on them...

                                      Of course you can, but it is a cost you have to accept as a business. It is not free, ever. Period.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Dashrender
                                        last edited by

                                        @Dashrender said:

                                        if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.

                                        But how do you find that out? That's the thing. Once you are getting an arbitrary set of the possible chars why do you assume it is "all lower case" and not just the actual set? Why one ASCII set and not another?

                                        It's not how these things work. If you are getting a limited set, you already know a lot about the password.

                                        1 Reply Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @JaredBusch
                                          last edited by

                                          @JaredBusch said:

                                          You are pushing the requirement of a smartphone onto all office users. Are you going to pay for the required use of their personal smart phone?

                                          Lots of companies do this. NTG provides phones, so yes, that's how they deal with it. But lots just require it. Should they, that's a different discussion. But do they, absolutely.

                                          JaredBuschJ 1 Reply Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @travisdh1
                                            last edited by

                                            @travisdh1 said:

                                            @Dashrender said:

                                            if you know the password, the whole discussion is moot. But if you know the user's password is only lower case letters, you know the set size is 26. It's only worth talking about in situations where you don't know the password.

                                            Right. Which is why I know that most password policies that require a certain amount of special characters, upper case, lower case and numbers, actually reduce the number of possible passwords in use.

                                            While it might socially reduce it, how does it actually reduce the number? By socially I mean that users will do $ocial instead of $social because they (the user) wants it to be easier to remember. But that is on the user, not the system.

                                            But you're right, like this whole thread.. that add the requirement of complexity itself moves people to make bad choices for their own simplicity... which is bad for security.

                                            scottalanmillerS 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 10
                                            • 11
                                            • 5 / 11
                                            • First post
                                              Last post