Passwords: does size matter, what characters?
Bill McGonigle
bill at bfccomputing.com
Fri Mar 10 16:59:01 EST 2006
On Mar 10, 2006, at 11:14, Drew Van Zandt wrote:
> If I were brute-forcing, I'd use a prehashed dictionary plus these
> substitutions:
>
> 1 for i
> 0 for o
> @ and 4 for a
cracklib does something like this. IIRC PAM checks against cracklib
for weak passwords. There's probably some way to hook cracklib from
the web app, if you care about very good passwords (you don't).
Two Deep Thoughts about passwords -
1. Many sites offer a 'enter the answer to your secret question'
fallback for people who have forgotten their password. This throws out
any strength your password may have had as an attacker is going to go
straight to "what's my dog's name" - Jake, Buddy, in. Most other sites
have a 'mail me my password' option. It's either that or pay a human
for tech support. Security vs. convenience.
2. Put a sane limit on the number of guesses (2 is crazy, 10 is
probably OK) and there's little opportunity for brute-force attacks.
-Bill
-----
Bill McGonigle, Owner Work: 603.448.4440
BFC Computing, LLC Home: 603.448.1668
bill at bfccomputing.com Cell: 603.252.2606
http://www.bfccomputing.com/ Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf
More information about the gnhlug-discuss
mailing list