Passwords: does size matter, what characters?

Bill McGonigle bill at bfccomputing.com
Fri Mar 10 16:59:01 EST 2006


On Mar 10, 2006, at 11:14, Drew Van Zandt wrote:

> If I were brute-forcing, I'd use a prehashed dictionary plus these
> substitutions:
>
> 1 for i
> 0 for o
> @ and 4 for a

cracklib does something like this.  IIRC PAM checks against cracklib 
for weak passwords.  There's probably some way to hook cracklib from 
the web app, if you care about very good passwords (you don't).

Two Deep Thoughts about passwords -

	1. Many sites offer a 'enter the answer to your secret question' 
fallback for people who have forgotten their password.  This throws out 
any strength your password may have had as an attacker is going to go 
straight to "what's my dog's name" - Jake, Buddy, in.  Most other sites 
have a 'mail me my password' option.  It's either that or pay a human 
for tech support.  Security vs. convenience.
	2. Put a sane limit on the number of guesses (2 is crazy, 10 is 
probably OK) and there's little opportunity for brute-force attacks.

-Bill
-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf




More information about the gnhlug-discuss mailing list