[Cryptography] Passwords (Smallest feasible work factor today?)
Kevin W. Wall
kevin.w.wall at gmail.com
Wed Sep 7 17:15:54 EDT 2022
On Wed, Sep 7, 2022 at 4:08 PM Phillip Hallam-Baker <phill at hallambaker.com>
wrote:
> Folk, what are people's thoughts on the smallest work factor that can be
> considered acceptable today? I am thinking 2^80.
>
I get your rant, but you need to consider businesses and their GRC-related
policies, some of which are mandated by compliance and regulatory laws. So,
to that degree, what *we* think probably doesn't matter all that much.
So given that, the last 3 companies that I've worked for (including the
current one) would accept 2^80 for "regular" users, but possibly not
privileged accounts and almost certainly not service accounts.
For example, at the Fintech company I worked for just over a year ago,
regular user passwords for internal users (employees and contractors) had
to be >= 16 characters long, but only >= 8 characters for their customers'
passwords. Privileged accounts had to have passwords that were randomly
generated and stored in a password manager vault and were supposed to be >=
20 characters and and for service accounts (which were valid for 1 year)
had to be >= 24 randomly generated characters and kept in something like
Hashicorp Vault. (At my current employer, service account passwords are
required to be >= 32 randomly generated printable characters and they also
must be stored in / accessed from Hashicorp Vault.)
So, I will leave the calculations to you, but for service accounts at
least, a work factor of 2^80 may not fly in some businesses.
-kevin
--
Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
| OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220907/60e92d1e/attachment.htm>
More information about the cryptography
mailing list