[Lynn R Grant: Password Aging]
Barry Shein
bzs at Encore.COM
Thu Dec 29 08:24:55 AEST 1988
From: smb at ulysses.homer.nj.att.com (Steven M. Bellovin)
>The DoD reasoning is fairly simple: they want to prevent brute-force
>attacks on a particular password. I don't have their booklet handy,
>but they show you how to work through the calculations. Figure out
>how many possible passwords there are, and assume some value (which
>I believe they supply) for the time to make one trial. That gives you
>an upper bound on how long a particular password is secure. The aging
>constant is set to be some small fraction of that time.
We just did this, lessee, 100 character set, 8 chars, 100^8, assume
10,000 encryptions per second is a good upper bound (we'll take a
small fraction in a moment) and, lessee, I get 31,709 years, divide by
100 (that's a small fraction, no?) I guess I age my password every 317
years, oh, what the hell, once per century just to be safe.
-Barry Shein, ||Encore||
More information about the Comp.unix.wizards
mailing list