Pedo mellon a minno, speak friend and enter

On Moria’s door, the elder dwell of Durin, king of the dwarves, it was written: PEDO MELLON A MINNO. In Overstron language it sounded like “Speak friend and enter.”

The mighty wizard struggled for almost a day to crack the password and finally Frodo just inferred what the password was, carved in a sort of ancient, monolithic, elven post-it: MELLON (friend).

Quite a weak password, some would argue, but at least it was written in a runic language that very few people used to know and probably not intended to be a password, since dwarf hospitality was famous throughout the whole Middle Earth during the realm of Durin.

With that in mind, let’s consider PCI-DSS requirement 8.2.3:

Passwords/phrases must meet the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.

Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.

It is not the same as writing it on the doormat or sticking it on the monitor, but seven characters and numeric and alphabetic?

Assuming we are not considering salt, for purely brute-force attacks it means that a password like “aaaaaa1” and alike satisfy the requirement?

Yes, strictly speaking yes, but let’s take a few things into consideration.

Based on the result provided on the password calculator

A password like “aaaaaa1” would be cracked instantly.

The same goes for “aAaaaa1” and all its different combinations, like “AaAaA1a”.

If I insert just a single special character like “aa#aaa1” it takes 3 minutes.

“AaAaA#1” takes one hour.

“AaAaA#1a” takes 3 days.

In general a password that contains 7 numeric and alphabetic characters, at a speed of 10.000.000 password/sec (the average speed of a fast computer) would take… drum roll: 13 minutes!!!

That’s what the PCI SSC requires to protect cardholder data, a password that can be cracked in 13 minutes.

If you add a little bit more entropy, like chars both in upper and lower case plus common symbols, it jumps to 87 days.

Furthermore, in our analysis, another requirement that pairs with 8.2.3 is 8.2.4:

Change user passwords/passphrases at least once every 90 days.

But, if according to the requirement 8.2.3, I submit a compliant password with 7 chars that contains digits and letters, it takes only 13 minutes to crack it, so requirement 8.2.4 should be that you change your password at least every 10 minutes.

Of course, that is impossible, but what should be done here is to enforce additional rules to comply with 8.2.3, such as:

  • Upper and lower case
  • Symbols
  • 8 characters

By doing so, an attacker would need 23 years to crack the password. Does an attacker have 23 years? Maybe, but according to 8.2.4 passwords must be changed after 3 months and when the attacker, after 23 years probably a more hoary attacker, would finish his nasty act, his newly-badly-hardly-elderly obtained access would be denied.

Requirement 8.2.5 will make sure that a user doesn’t re-use the same password as the last four.

As a QSA, when I inspect Active Directory GPO related to password requirements or a PAM module in Linux, 99.9% of the times I find settings that go “above and beyond” req. 8.2.3. But, why is there no mention of symbols such as,;.:-_’*¨^+?\!”#¤%&/()=}][{\@£$§ (question mark) in the requirement.

The bottom line is, requirement 8.2.3 should be improved and all companies should ALWAYS try to go above and beyond the requirement. In such a scenario the wonderful concept of passphrase will come in handy:

Iwatchedthelordoftherings30times would take 18 duodecillion years to be cracked, but it is wonderfully compliant with 8.2.3 and it is also easy to remember. And yes, it would take more or less the same time if you have watched it 00 times, but in that case… SHAME ON YOU! Immediately go and rent the Blu-Ray long version!

Anyway, multi-factor authentication (password + something you are or have) is the way to go.



P.S: Please, do not use Iwatchedthelordoftherings30times (or any other number of times ? ) as a password, it is just for example, by the time this article is posted, such a password and its variant (like Iwatchedstarwars100times) is probably already inside a dictionary or computed in a hash in a rainbow table.

Andra Blogginlägg