P1: JDW
WL040C-01 WL040/Bidgoli-Vol III-Ch-01 June 24, 2003 10:39 Char Count= 0
10 PASSWORDSTable 2Password Cracking TimesNumber of Number of Possible Number of Possible
Chars in Combinations of 95 Printable Time to Crack Combinations of All Time to Crack
Password ASCII Chars (in hours)a 256 ASCII Chars (in hours)a
0 1 0.0 1 0.0
1 95 0.0 256 0.0
2 9025 0.0 65536 0.0
3 857375 0.0 16777216 0.0
4 81450625 0.0 4294967296 0.0
5 7737809375 0.0 1099511627776 0.3
6 735091890625 0.2 281474976710656 78.2
7 69833729609375 19.4 72057594037927900 20016.0
8 6634204312890620 1842.8 18446744073709600000 5124095.6
9 6.E+17 2.E+05 5.E+21 1.E+09
10 6.E+19 2.E+07 1.E+24 3.E+11
11 6.E+21 2.E+09 3.E+26 9.E+13
12 5.E+23 2.E+11 8.E+28 2.E+16
13 5.E+25 1.E+13 2.E+31 6.E+18
14 5.E+27 1.E+15 5.E+33 1.E+21
15 5.E+29 1.E+17 1.E+36 4.E+23
16 4.E+31 1.E+19 3.E+38 9.E+25aAssume 1 billion hash & check operations/second.is one of several applications that rely on graphical im-
ages for the purpose of authentication. Another company,
Passlogix, has a system in which users can mix drinks in
a virtual saloon or concoct chemical compounds using an
onscreen periodic table of elements as a way to log onto
computer networks.AN ARGUMENT FOR SIMPLIFIED
PASSWORDS
Employing all of the guidelines for a strong password
(length, mix of upper and lower case, numbers, punctua-
tion, no dictionary words, no personal information, etc.)
as outlined in this chapter may not be necessary after all.
This is because, according to security expert and TruSe-
cure Chief Technology Officer Peter Tippett, statistics
show that strong password policies only work for smaller
organizations (Tippett, 2001). Suppose a 1,000-user orga-
nization has implemented such a strong password pol-
icy. On average, only half of the users will actually use
passwords that satisfy the policy. Perhaps if the organiza-
tion frequently reminds its users of the policy, and imple-
ments special software that will not allow users to have
“weak” passwords, this figure can be raised to 90%. It is
rare that such software can be deployed on all devices
that use passwords for authentication; thus there are al-
ways some loopholes. Even with 90% compliance, this still
leaves 100 easily guessed User/ID password pairs. Is 100
better than 500? No, because either way, an attacker can
gain access. When it comes to strong passwords, anything
less than 100% compliance allows an attacker entr ́etothe
system.
Second, with modern processing power, even strong
passwords are no match for current password crackers.
The combination of 2.5-gigahertz clock speed desktopcomputers and constantly improving hash dictionaries
and algorithms means that, even if 100% of the 1,000 users
had passwords that met the policy, a password cracker
might still be able to defeat them. Although some user
ID/password pairs may take days or weeks to crack, ap-
proximately 150 of the 1000, or 15%, can usually be brute-
forced in a few hours.
In addition, strong passwords are expensive to main-
tain. Organizations spend a great deal of money support-
ing strong passwords. One of the highest costs of main-
taining IT help desks is related to resetting forgotten user
passwords. Typically, the stronger the password (i.e., the
more random), the harder it is to remember. The harder it
is to remember, the more help desk calls result. Help desk
calls require staffing, and staffing costs money. According
to estimates from such technology analysts as the Gart-
ner Group and MetaGroup, the cost to businesses for re-
setting passwords is between $50 and $300 per computer
user each year (Salkever, 2001).
So, for most organizations, the following might be a
better idea than implementing strong password policy:
Simply recognize that 95% of users could use simple (but
not basic) passwords—that is, good enough to keep a ca-
sual attacker (not a sophisticated password cracker) from
guessing them within five attempts while sitting at a key-
board. This could be four or five characters (no names or
initials), and changed perhaps once a year. In practical
terms, this type of password is equivalent to the current
“strong” passwords. The benefit is that it is much easier
and cheaper to maintain.
Under this scenario, a system could still reserve
stronger passwords for the 5% of system administra-
tors who wield extensive control over many accounts or
devices. In addition, a system should make the password
file very difficult to steal. Security administrators should