On Sat, 08 Jan 2005 19:52:23 GMT, "Mark Jerde"
wrote:

Mark & Juanita wrote:

yep those password policies really
helped improve security, didn't they?

One client of our has insane IMO requirements: 15 characters, must include
at least a number and a special character, and NO WORDS!

Ostensibly this is to prevent dictionary-driven programs from trying
combinations of words and numbers to break into a user's account. Now,
applying the common sense rule here, coupled with the fact that most
security protocols either lock out the user for a certain period of time
(30 minutes, 2 hours, etc) or permanently (requiring sysadmin to reset the
password) after 3 (or some other number) of failed login attempts -- given
that the user hasn't chosen aardvark1 as a password, how long is it going
to take an automated hacking program to get user access with brute-force
attacks? Given the example you cite below, just because banana may be a
word is not an aid to an attack on a system with a password lock policy.

Usually for
requirements like that I'll use the dictionary technique. Open a thick
book, use the first word I see, open to another page, use the page number,
open to another page & use the first word I see, etc. This client's policy
wouldn't accept e.g.
banana48file62uses323/count
because it said "banana" was a word!

However, a password of this form is blessed. g
aaaaaaaaaaaaa1/


Oooh, I can see how that is *much* more secure than the banana password
:-)


-- Mark




+--------------------------------------------------------------------------------+

Now we'll just use some glue to hold things in place until the brads dry

+--------------------------------------------------------------------------------+