Pete Finnigan's Oracle Security Forum


    
      
        Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Are dictionary checks obsolete?
        
(Message started by: Pete Finnigan on Dec 12^th, 2008, 3:20pm)

Title: Are dictionary checks obsolete?
Post by Pete Finnigan on Dec 12^th, 2008, 3:20pm

Our site policy requires passwords to be a minimum of 14 characters, with at least 4 alpha, 2 numeric digits, and 2 punctuation. If on Oracle 11g, there must be at least 2 uppercase and 2 lowercase letters. I don't know of any words in the dictionary that have 2 upper, 2 lower, 2 numeric, 2 punctuation, and are at least 14 charcters long.

Is there still any sense to the password verify function checking a user's password against a dictionary before allowing them to use it? People can't remember a 7 digit phone number. A 14 character mess of truly random characters would increase the likelihood of passwords being written and left in unsecured locations.

A dictionary check could verify that a password does not contain l33t encoded words, but is that going too far?

Title: Re: Are dictionary checks obsolete?
Post by Pete Finnigan on Dec 16^th, 2008, 3:28pm

I found that this has all been argued before under a different name:

The Great Debates: Pass Phrases vs. Passwords

http://technet.microsoft.com/en-us/library/cc512613.aspx

http://en.wikipedia.org/wiki/Passphrase

http://world.std.com/~reinhold/diceware.html

http://blog.paploo.net/2007/10/article-security-words.html

http://www.iusmentis.com/security/passphrasefaq/practical