Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Fun with Passphrases! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Fun with Passphrases!

As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords.  Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords.

The prevailing wisdom today is to use passphrases - demonstrated nicely by our bud at xkcd - http://xkcd.com/936/

So I routinely have very long pass phrases for public facing accounts.  Imagine my surprise when I was creating a new account on major cloud service (the one that starts with an "O" and ends with a "365"), and found that I was limited to a 16 character password. 

Needless to say I have a case open to see if that limit can be removed.  I'm not looking for no limit / invitation to a buffer overflow status on the password field, but something bigger than 16 would really be appreciated !

 

 

Rob VandenBrink

497 Posts
ISC Handler
Completely true if using a "standard" Office365 account. However, that limitation does not exist if you use an ADFS configuration. That may seem like splitting hairs, but it's an important distinction, especially when there are many small-to-medium-to-large orgs looking at shifting over to Office365.
Anonymous
I know of worse. I our country there's a ISP that still limits your password tot 8 characters and only letters and numbers. And this account is used for all the services they provide.
GuardMoony

3 Posts
I agree that 16 chars is too little. Hits that once in a while with 1password generated passwords. Other sites complains that the passwords are obviously machine generated and rejects it.

Using the xkcd method, many passwords are hackable using oclhashcat. But bruteforcing all NTLM 8 lower chars+numbers is trivial, taking minutes. But luckily Microsoft is such a small company with no significant market presence, so they do not need to use salt, or use a good algorithm.
Povl H.

71 Posts
Nice findings


http://social.technet.microsoft.com/Forums/lync/en-US/5343388f-c92c-46cc-9410-698739404af8/16-character-password-limitation-on-mac-lync-clients?forum=ocsclients

http://alexduggleby.com/2011/07/18/office-365-does-not-allow-more-than-16-character-passwords-or-why-why-why/


But does not explain why it is still limited.


Js
k4l4m4r1s

7 Posts
Ahhh, but you missed something. Microsoft makes up for their 16-character password length limitation in Office 365 by also not allowing any type of two-factor authentication, like client certificates. That makes your business email and documents even easier to lose, errr, "use".
Anonymous
I've been down this road with Microsoft already, but it's good to see I'm not the only one with an open case. When my org migrated to O365, we learned that the password length is restricted to a minimum of 8 chars & maximum of 16 - and there's no way to change that. So, while 16 chars is bad, the fact that we can't enforce a _minimum_ of 16 is even worse. Of course, it's no worse than Windows' password requirements, with a minimum password length of no more than 14 characters (in Win2012, at least). Stupid, at best. Dangerous, at worst.
Anonymous
Don't believe this is limited to their cloud service. I ran into the issue when trying to use the Outlook client against my Gmail account.
Dean

135 Posts
Yep, same issue with credit card companies lack of complexity!

I visit a site that checks the "haystacks" and allows me to generate any length. Even with this one @ 16 QyM#rz[9'O<"IvO# returns this. On a 30 day rotational routine (yes a PITA, but breaches are worse) gives me some comfort. For those that wish to look up a decent article on wired, "kill the P@55W0rD" is a real eye opener and it dates back to 12-12.

But security, Admins even people with home systems hear complaints all the time.. I can't remember my PW, you create in DC too long and they lament. Feel like Gumby's arms.

WIth regards to cloud service.... heard of this? They will do it for you. Systems still running it.

https://support.microsoft.com/kb/2744850

http://www.h-online.com/security/news/item/Cloud-service-cracks-VPN-passwords-in-24-hours-1656104.html

https://github.com/moxie0/chapcrack




Search Space Depth (Alphabet): 26+26+10+33 = 95
Search Space Length (Characters): 16 characters
Exact Search Space Size (Count):
(count of all possible passwords
with this alphabet size and up
to this password's length) 44,480,886,725,444,
405,624,219,204,517,120
Search Space Size (as a power of 10): 4.45 x 1031
Time Required to Exhaustively Search this Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 14.14 million trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.41 hundred billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.41 hundred million centuries
ICI2Eye

52 Posts
Some information about this issue is here: http://thenextweb.com/microsoft/2012/09/21/this-ridiculous-microsoft-longer-accepts-long-passwords-shortens/ (Including a statement from Microsoft at the bottom)

It doesn't appear that they have any immediate intention of committing to a change which would allow for longer passwords.
Alex Stanford

136 Posts
And my library public login limits the password length to a 4 digit PIN.....
(I've changed the library site to a secure note in lastpass to "manage" my security score)
bill

5 Posts
While dutifully changing my passwords after the HeartBleed drill, and trying to help my wife understand the password composition I had created, I found that some our institutions did not allow for special characters. When I complained to many of them about the lack of complexity in a day where special characters is a basic requirement, I received an automatic reply from my Retirement system assuring me that they had patched their servers for the HeartBleed vuln and had nothing to worry about...
Gary

5 Posts
Quoting Gary:While dutifully changing my passwords after the HeartBleed drill, and trying to help my wife understand the password composition I had created, I found that some our institutions did not allow for special characters. When I complained to many of them about the lack of complexity in a day where special characters is a basic requirement, I received an automatic reply from my Retirement system assuring me that they had patched their servers for the HeartBleed vuln and had nothing to worry about...


I would suggest trying again now that the influx of requests due to Heartbleed has died down, and see if you can't at least get a human response now.
Alex Stanford

136 Posts
For fear of having my account hacked into, I won't mention names. My 401K sits with a worldwide investment firm that everyone knows. Here are some of their 8-bit DOS based password rules:

- 6 to 12 characters
- Letters and numbers only - NO special characters

If it's a character on the keyboard it should be accepted. When are these companies going to implement rules to allow for a more SECURE environment?!

Needless to say when I transferred employers, my 401K was moved into my IRA with ANOTHER company!
Anonymous
RE: "Ahhh, but you missed something. Microsoft makes up for their 16-character password length limitation in Office 365 by also not allowing any type of two-factor authentication, like client certificates. That makes your business email and documents even easier to lose, errr, "use"."


Actually fwiw, they announced multi-factor auth this Feb '14 http://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/

Haven't played with it yet... but it looks to function much like it does with their outlook.com / live.com service which I have used and appreciate.
justageek

7 Posts

Sign Up for Free or Log In to start participating in the conversation!