Password strength and online versus offline dictionary attack
- From: woger151@xxxxxxxxxxxxxxxx
- Date: Sun, 05 Aug 2007 05:27:37 -0700
My impression from reading around is that really strong passwords
aren't necessary if all one has to do is protect against online
dictionary or brute force attacks. (Assuming one has taken
precautions against such attacks like limiting the rate of attempted
logins, locking out accounts after too many failed logins, etc.)
What are the criteria for deciding that offline dictionary attacks are
not a threat? I would assume it's "if they can't get ahold of the
hashed password, there's no issue."
In my particular system, users connect to an apache website via SSL.
So I don't see how the hashed passwords could be sniffed, unless the
user computer is completely compromised (in which case all is lost
insofar as the intruder will know the plaintext username and password
anyway), or the server is compromised enough that the password hash
files are available (in which case, all is lost anyway from the server
standpoint as those files are highly protected).
I'm asking because I just went live with a production web-server/
database box, and the endusers aren't too happy with the random, hard-
to-memorize passwords I've handed them.
TIA
.
- Follow-Ups:
- Re: Password strength and online versus offline dictionary attack
- From: Thomas Pornin
- Re: Password strength and online versus offline dictionary attack
- Prev by Date: Re: encrypting a file
- Next by Date: Re: Password strength and online versus offline dictionary attack
- Previous by thread: sadam! You'll confirm coffees. Yesterday, I'll explode the access
- Next by thread: Re: Password strength and online versus offline dictionary attack
- Index(es):
Relevant Pages
|
