July 24, 2006

Does (password) size matter?

Author: Joe Barr

Does size matter? The question has arisen lately on Security-Basics, a computer security mailing list hosted by SecurityFocus.com. As usual, the question comes down to physical size or mental prowess.Roger A. Grimes, a security columnist at InfoWorld, has posted a $100 challenge -- extra goodies as well -- both on the mailing list and at his blog at InfoWorld, to anyone who can crack one of three password challenges. Grimes' assertion is that password length alone can provide more than adequate password protection.

In Grimes' own words:

For the record, I know complexity makes a stronger password, but my assertion is that length is just as valuable (especially if complexity cannot be guaranteed, which it can't in most cases)... especially if passphrase cracking software isn't widely available (which it isn't).

This is a big deal to security-oriented folk because it provides fodder for food fights. More important, however, is that if Grimes's assertion proves correct, more people would use stronger passwords than they do today because the passwords could be made of familiar words rather than hard-to-memorize random gibberish. The degree of difficulty in creating and remembering passwords is probably the biggest barrier to strong password usage.

Traditional thinking has been that adding complexity -- using both upper and lowercase letters, and adding numerals as well -- is the best way to create strong passwords. The problem with complexity is that it makes passwords difficult to remember as well as difficult to crack.

Less complex passwords -- the use of names or words -- has been discouraged because they are subject to dictionary attacks, which can crack them in seconds. With length, however, passphrases can replace passwords, and common words or not, there are no dictionary attacks against phrases, so passphrases like "theraininSpain" or "arosebyanyothername" offer considerable strength based on their length but remain easy to remember.

The first challenge is as follows:

Challenge #1 (Complexity at 10 characters) for the first person to email
me (Grimes) the plaintext equivalent to the following NT hashes:

Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04

Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based
upon two words that have been "license-plated" (i.e. hybrid attack is
3. Moderate complexity, but nothing beyond alpha letters and numbers.

So grab a copy of Cain & Abel or John the Ripper and have at it, and you may win $100. Refer to the blog entry linked above for challenges 2 and 3, and details on all the rules and prizes.


  • News
Click Here!