On Sat, 08 Jan 2005 19:52:23 GMT, "Mark Jerde"
wrote:
Mark & Juanita wrote:
yep those password policies really
helped improve security, didn't they?
One client of our has insane IMO requirements: 15 characters, must include
at least a number and a special character, and NO WORDS!
Ostensibly this is to prevent dictionary-driven programs from trying
combinations of words and numbers to break into a user's account. Now,
applying the common sense rule here, coupled with the fact that most
security protocols either lock out the user for a certain period of time
(30 minutes, 2 hours, etc) or permanently (requiring sysadmin to reset the
password) after 3 (or some other number) of failed login attempts -- given
that the user hasn't chosen aardvark1 as a password, how long is it going
to take an automated hacking program to get user access with brute-force
attacks? Given the example you cite below, just because banana may be a
word is not an aid to an attack on a system with a password lock policy.
Usually for
requirements like that I'll use the dictionary technique. Open a thick
book, use the first word I see, open to another page, use the page number,
open to another page & use the first word I see, etc. This client's policy
wouldn't accept e.g.
banana48file62uses323/count
because it said "banana" was a word!
However, a password of this form is blessed. g
aaaaaaaaaaaaa1/
Oooh, I can see how that is *much* more secure than the banana password
:-)
-- Mark
+--------------------------------------------------------------------------------+
Now we'll just use some glue to hold things in place until the brads dry
+--------------------------------------------------------------------------------+
|