The IT services of the ETH recently opted for new password policies for all the services managed by the nethz admin tool to enforce good and strong passwords and prevent security breaches.

The strength (or goodness) of a password determines how many trials an attacker needs to guess the password. The strength depends on the length l (in characters), the complexity n (how many possibilities for each character) and the randomness of the password.

An attacker trying to guess a password by trying all the possibilities (this is known as a brute-force attack) will have to test n to the power of l different passwords in the worst case.

A single PC can easily test 10’000’000 passwords per second and will take less than three days to try all the possible combinations of eight lower-case letters (26^8 passwords / 10’000’000 passwords/s = 208’827 s = 2.42 days).

Trying all the possible combinations is rarely needed as most users use passwords made up with common words, dates and pieces of personal information. An attacker usually begins to test all the combinations of lower-case letters (the easiest to type) containing words and dates drastically reducing the time needed to guess the password (this technique is know as a dictionary attack).

Guessing a password of 10 characters composed by lower (a-z) and upper case letters (A-Z), numbers (0-9) and special symbols (+,-./:=?@[]^{}~) requires (26+26+10+15)^10 = 77^10 tests which on the same PC as before need 23’217 years to complete.

nethz policies

Our new password policies  are therefore tailored to minimize the risk of a successful attack:

• the password must be longer than 7 characters (and shorter than 31)
• the password must contain at least
• a letter (lower or upper case)
• a number
• a special character
• the password must not contain a word (we check for English, German, French and Italian words longer than four characters)

Since some systems do not allow certain characters in the password we had to limit the set of possible characters to:

• lower-case letters (no umlauts): a-z
• upper-case letters (no umlauts): A-Z
• numbers: 0-9
• special characters: + (plus), , (comma), – (minus), . (dot), / (slash), : (colon), = (equal), ? (question mark), @ (at), [] (square brackets), ^ (caret), {} (curly brackets) and ~ (tilde)