Meeting the InCommon Assurance profile criteria using Active Directory

["Capehart,Jeffrey D" <>]

Good articles.  This excerpt from the first relates well to our recent discussions on entropy.  The qead… password is what they call a keyboard walk (like Qwerty).  Try typing it one character at a time to see.  That plus 4 digits on the end and bingo… cracked.

 

Where a classic brute-force tries "aaa," "aab," "aac," and so on, a Markov attack makes highly educated guesses. It analyzes plains to determine where certain types of characters are likely to appear in a password. A Markov attack with a length of seven and a threshold of 65 tries all possible seven-character passwords with the 65 most likely characters for each position. It drops the keyspace of a classic brute-force from 95⁷ to 65⁷, a benefit that saves an attacker about four hours. And since passwords show surprising uniformity when it comes to the types of characters used in each position—in general, capital letters come at the beginning, lower-case letters come in the middle, and symbols and numbers come at the end—Markov attacks are able crack almost as many passwords as a straight brute-force.

 

From: [mailto:] On Behalf Of David Walker
Sent: Wednesday, June 19, 2013 2:06 PM
To: InCommon AD Assurance Group
Cc: DHW
Subject: [AD-Assurance] Something to keep us all paranoid

 

Here are a couple of articles to keep us all scared about passwords.  Probably no direct impact on our work, although the fact that passwords like qeadzcwrsfxv1331 can be cracked when weak encryption is employed might have bearing on our decision of whether entropy is a mitigation for weak encryption.

• Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331” - http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
• Those meters that rate password strength work, until they don't - http://gcn.com/blogs/cybereye/2013/06/password-strength-meters-dont-always-work.aspx?s=gcntech_120613and

David