Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 41 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » September 2009 » A grammatically correct random pass phrase generator

[Previous entry: "SQL Injection - accessing additional tables via the where clause"] [Next entry: "IOUG Data Security Report 2009 is out"]

A grammatically correct random pass phrase generator

September 30th, 2009 by Pete


Curtis Copley emailed me to let me know about his new paper on a grammatically correct random passphrase generator and also the free tools he has created to implement this in Java and also in PL/SQL. The paper is available on his website and the tools are also available as links at the end of the paper. This is an excellent piece of work that shows how he has worked through the problem and created code to generate random pass phrases that can be remembered by people but also that have the required strength (@47 bits) using a dictionary of chosen words of around 10,000 options. The password randomness rules are based on NIST requirements. The paper ois best introduced with a sample from the first section:

A grammar-based random pass-phrase generator can help make life easier for users and system administrators by generating memorable passwords that should meet the needs of most sites. With this algorithm, users should be able to choose a password more easily. The passwords produced by the algorithm should be easy enough to type, reducing the likelihood of being accidentally locked out of the system by logon failures. System administrators may finally be able to spend less time resetting passwords and unlocking accounts, without sacrificing security.



Passwords provide much of computer and data security, but they suffer from conflicting requirements: Ideally, they would be easy to memorize and quick to type, yet they should also be able to withstand attack by an automated password cracking program. The United States Department of Defense (DOD), and the National Institute of Standards and Technology (NIST) established requirements that are intended to strengthen passwords. Unfortunately, many users (and system administrators) find it tough to come up with passwords that meet DOD and NIST requirements, and even tougher to memorize their passwords. Users forget their passwords, or mistype them and cause an account lockout. System administrators then need to come up with secure new passwords for these users.



A grammatically-correct random pass phrase generator can make passwords that are easy enough for users to memorize, yet still be secure. The program can generate over 200 trillion different equally-likely pass phrases (in security terms, a strength measured at about 47 bits of entropy). The passwords will be between 14 and 22 characters long. Since most of the password length comes from familiar English words, the length is more tolerable. The random selection of words often results in absurd phrases. Absurdity is good. Advertisers use absurdity to make their messages more memorable.



Here is a random sampling of passwords from the program, along with the words separated by spaces for easy reading:



PASSWORD
WORDS

`55ScabbyGateAromas`
55 Scabby Gate Aromas

||BroodsPaving25Ghouls
Broods Paving 25 Ghouls

``ThreatPlops45Pumas
Threat Plops 45 Pumas


To read the complete article and get the sample implementation in Java and also in PL/SQL got to Curtis Copley's website.

Excellent piece of work.

September 2009
SMTWTFS
  12345
6789101112
13141516171819
20212223242526
27282930   

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!