GRC Password Haystack

Discussion in 'other security issues & news' started by Morthawt, Jun 2, 2011.

Thread Status:
Not open for further replies.
Page 2 of 2
  1. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    You work in the private sector but have to adhere to a government standard that requires 64 character completely random passwords? Which government department requires thiso_O


    So is the password for keypass less (in length and entropy) than a 64 character random password? If not, isn't that a weak link?
     
    jrmhng, Jun 9, 2011
    #26
  2. x942

    x942 Guest

    The actual specification is:

    "All passwords have to be of 24 Character length and have maximum entropy to protect all documents considered classified or private."


    The use of longer passwords is to ensure that I (we) don't get in trouble provided there is a data leak. Also lots of government (read military) agencies use long passwords; They can be extremely paranoid and lots use ~64 char passwords for encrypted disks. I get pressured all the time to ensure all of our passwords meet that length :(


    The length is still approximately 64 Chars. but its is more memorable (to me at least). I used the padding technique to do this.

    This is negated by 3 things:
    1) Keypass database is stored in an encrypted TrueCrypt Volume on my IronKey. Both the volume and the KeyPass database need keyfiles.
    2)Keyfiles are stored on another encrypted HDD
    3)that encrypted HDD needs keyfiles stored on the IronKey.

    Any attempt at brute-forcing or physically tampering with the IronKey cause it to "self destruct" or wipe out the encryption key stored in hardware (cryptochip) and all the data on the device before rendering the entire device useless with a NSA wear-level wipe over it.
     
    x942, Jun 9, 2011
    #27
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Once it goes beyond a certain point, there is really diminishing returns. Maybe they need to focus on other things like making sure their SecureID keys are actually secure :p

    Sounds pretty painful.
     
    jrmhng, Jun 9, 2011
    #28
  4. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I would think there would be some very large sticky notes all over the place.. a security nightmare probably..
     
    hpmnick, Jun 10, 2011
    #29
  5. x942

    x942 Guest

    I wouldn't be surprised this is why I am padding them now. Easy to remember but still ~64 Chars. This why I can even do with out the key pass data base. :thumb:

    ~14 chars is all that's needed. 14 Char passwords are about the point where even rainbow tables take forever to crack. It is recommended that you use 15-16 chars to be safe. I use a minimum of 14 for all websites (that need some security) and logins. As for ~64 chars. Yes it is redundant but it is future proof as well and as long as I can use padding and remember them I don't care one bit :p
     
    x942, Jun 11, 2011
    #30
Page 2 of 2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...