On Thursday 26 February 2015 11:25:59 Chris Murphy wrote:
On Thu, Feb 26, 2015 at 3:30 AM, Hubert Kario
> Talking about entropy without talking about how severe will be the rate
> limiting or password lifetimes will also lead us nowhere.
OK, so the password lifetime thing: I just fired my ISP for having 3
month mandatory password changes. I think it's a bad idea that
actually makes us less safe.
and I agree, blanket requirement of changing the password every 30 days is bad
but if we say "password never expires" we need to assume (for purposes of
calculation) a sufficiently long password life-time - like 100 years
we could go the route of - give me a good enough password and you won't be
required to change it in next x-months or x-years
but every calculation of security level of a password needs to include:
- amount of tries the attacker can perform per unit of time
- how long the password is useful
- how hard is the password to guess (entropy)
If the "amount of tries" is "5 million per second", the "how
long" is "10
years" then the password needs to be really complex to keep "1% chance to be
But if you enter "100 tries per 30 days", "30 days" and "10 bits
you get "1% chance for the password to be guessed".
We can tune any value we like, but some other value will change too, otherwise
we will not end up with a system that is as secure as we would like/expect.
> If we use the NIST recommendation of 100 unsuccessful login
> lockout account and 30 day password rotation, then we may be fine with
> just 10 bit entropy - that of a random 4 digit PIN or single dictionary
OK yet my bank card 4 digit PIN doesn't rotate. It never expires. It's
been the same for 8+ years.
it's also locked out after 3 unsuccessful attempts and requires possession of
hardware token, not a favourable comparison
Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic