Re: Password complexity - improvement
- From: Ansgar -59cobalt- Wiechers <bugtraq@xxxxxxxxxxxxxxxx>
- Date: Fri, 17 Aug 2007 01:49:26 +0200
On 2007-08-16 Thor (Hammer of God) wrote:
Ah.... NOW I see what you mean... As in, if you required all 4
complexity requirements, and you knew the first three characters were
Aa1, then you'd know for a fact that the last character had to be a
"special" character...
Not exactly. By requiring characters from all 4 groups to be present in
the password you reduce the number of passwords attacker must brute-
force (because he can skip certain passwords now). How much that will
gain him effectively depends on the length of the passwords and the
number of special characters. I agree that for passwords of reasonable
length and with an adequate number of special characters the loss will
indeed be negligible, but I still think you need to take this effect
into consideration before implementing a policy like that.
Only problem with that is that a BF attack does not give us one
character at a time. You have to "crack" the hash in singularity...
I am aware of that.
Regards
Ansgar Wiechers
--
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."
--http://developer.apple.com/technotes/tn2004/tn2118.html
- References:
- Password complexity - improvement
- From: dubaisans dubai
- Re: Password complexity - improvement
- From: Ansgar -59cobalt- Wiechers
- Re: Password complexity - improvement
- From: Ansgar -59cobalt- Wiechers
- RE: Password complexity - improvement
- From: Thor (Hammer of God)
- Password complexity - improvement
- Prev by Date: RE: Password complexity - improvement
- Next by Date: RE: Password complexity - improvement
- Previous by thread: RE: Password complexity - improvement
- Next by thread: RE: Password complexity - improvement
- Index(es):
Relevant Pages
|
