we calculate these bits of entropy? NIST has proposed the following rules to calculate the number of bits of entropy for a password: 1. The first byte counts as 4 bits. 2. The next 7 bytes count as 2 bits each. 3. The next 12 bytes count as 1.5 bits each. 4. Anything beyond that counts as 1 bit each. 5. Mixed case + nonalphanumeric = 2 to 6 more bits, depending on complexity. For example, let's evaluate the following password's entropy: Pa$$word (one you shouldn't use). Recall that each letter is represented as 1 byte. - The first byte counts as 4 bits; therefore, "P" gives us 4 bits of entropy. - The next 7 bytes count as 2 bits each; therefore, "a$$wOrd" gives us 7 x 2 bits 14 additional bits of entropy. - Mixed case + nonalphanumeric can give us up to 6 extra bits. Let's stay conservative and count 2 bits for these characters in our password, because the symbols are a close match for letters.

Transcribed Image Text:

page336 336 Chapter 11 Network Security informed of the departure and accounts remain in the system. For example, an examination of the user accounts at the University of Georgia found 30% belonged to staff members no longer employed by the university. If the staff member's departure was not friendly, there is a risk that he or she may attempt to access data and resources and use them for personal gain, or destroy them to get back at the organization. Many systems permit the network manager to assign expiration dates to user accounts to ensure that unused profiles are automatically deleted or deactivated, but these actions do not replace the need to notify network managers about an employee's departure as part of the standard human resources procedures. MANAGEMENT 11-9 Selecting Passwords FOCUS The keys to users' accounts are passwords-we all force attack? Well, we have 220 possibilities, and if a com- know this. The stronger the password, the more secure is your account. But what does it mean to have a "strong" approximately 17 minutes to break this password. We can password? We all heard that we shouldn't pick keyboard agree that this is a very easy password to remember, but it patterns or names of family members or pets. But then different organizations have different rules for how create strong passwords. Some might not give you any without guidelines, whereas others are strict about how many puter can guess 1,000 guesses per second it would take us is also very easy to break. So how can we increase our password strength t making it almost impossible to remember it? More companies are moving to passphrases instead of letters you should use, numbers, and special passwords. A passphrase is simply four or more words that is not a common phrase such as a line from a song or The National Institute of Standards and Technology movie. Let's look at the following password that uses four common words: horses love eating apples (without the spaces between the words). This password has 4 (for "h") + 14 (for "orseslov") + 18 (for "eeatingapple") + 1 (for "s") = 37 bits of entropy. It would take 4.35 years for a this characters you should use. (NIST) advises that the password strength boils down to the number of bits of entropy that a password has. So how can we calculate these bits of entropy? NIST has proposed the following rules to calculate the number of bits of entropy for a password: 1. The first byte counts as 4 bits. + 1o computer guessing 1,000 guesses per second to break password. You can increase the strength of this password by adding spaces between the words or a few numbers at the end. This will then become a very easy password to 2. The next 7 bytes count as 2 bits each. 3. The next 12 bytes count as 1.5 bits each. 4. Anything beyond that counts as 1 bit each. 5. Mixed case + nonalphanumeric = 2 to 6 more bits, depending on complexity. remember but a very difficult one to crack. General rules: For example, let's evaluate the following password's entropy: Pa$$wOrd (one you shouldn't use). Recall that each letter is represented as 1 byte. - The first byte counts as 4 bits; therefore, "p" gives us 4 bits of entropy. 1 The next 7 bytes count as 2 bits each; therefore, "a$$wOrd" gives us 7 x 2 bits = 14 additional bits of entropy. 1 Mixed case + nonalphanumeric can give us up to 6 extra bits. Let's stay conservative and count 2 bits for these characters in our password, because the symbols are a close match for letters. - Use passphrases, not passwords. Choose three or four easily remembered words. 1 Longer is better. We recommend passphrases that are at least 15 characters long. 1 Don't use the same passphrase everywhere. Instead, create a general passphrase you use but customize it for each site that requires a password by adding some numbers to it. For example, count the number of times the letter "a" in the URL of the website you are logging in to and add that to the end of your usual passphrase to create a unique passphrase just for that site. 1 Always choose a unique passphrase for every high-risk site, such as your bank. appears The total number of bits of entropy for our password is 20. How long will it take to crack this password using a brute

Transcribed Image Text:

9. Refer to "Selecting passwords" on page 337 to determine the entropy of the following password "R@pt0r" and estimate how long it will take a computer that can guess 100 guesses in a second to crack this password.