Path: utzoo!attcan!uunet!husc6!encore!bzs
From: bzs@Encore.COM (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: [Lynn R Grant:  Password Aging]
Message-ID: <4511@xenna.Encore.COM>
Date: 28 Dec 88 22:24:55 GMT
References: <17981@adm.BRL.MIL> <4506@xenna.Encore.COM> <11048@ulysses.homer.nj.att.com>
Organization: Encore Computer Corp, Marlboro, MA
Lines: 17
In-reply-to: smb@ulysses.homer.nj.att.com's message of 28 Dec 88 20:37:03 GMT
Posting-Front-End: GNU Emacs 18.41.15 of Tue Jun  9 1987 on xenna (berkeley-unix)


From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin)
>The DoD reasoning is fairly simple:  they want to prevent brute-force
>attacks on a particular password.  I don't have their booklet handy,
>but they show you how to work through the calculations.  Figure out
>how many possible passwords there are, and assume some value (which
>I believe they supply) for the time to make one trial.  That gives you
>an upper bound on how long a particular password is secure.  The aging
>constant is set to be some small fraction of that time.

We just did this, lessee, 100 character set, 8 chars, 100^8, assume
10,000 encryptions per second is a good upper bound (we'll take a
small fraction in a moment) and, lessee, I get 31,709 years, divide by
100 (that's a small fraction, no?) I guess I age my password every 317
years, oh, what the hell, once per century just to be safe.

	-Barry Shein, ||Encore||