[nycphp-talk] password strength enforcement
jon baer
jonbaer at jonbaer.net
Mon Apr 12 00:46:58 EDT 2004
> I don't know. Do you really think it's better to make the user guess
> through trial and error? If I was signing up for your site, I'd get
> frustrated pretty quickly.
Well it was mainly referring to the point of spilling *all* your beans @ the
point of error ... and if you are not tough on your app's password policy
then why even have rules to begin with?
> The real purpose of enforcing these types of rules is to push your
> passwords into a statespace large enough to make brute force attacks
> computationally expensive. There are more potential passwords of
> exactly six letters than there are of any number between one and five
> letters combined!
While Im not a cryptology expert, nor do I play one on TV (or probably
shouldnt even comment ), I think brute force attacks on todays PCs will
defeat alot of well thought out apps ... and you are going to be relying on
multiple passwords for one app (but thats another discussion :-)
> So, letting a cracker know he can skip short passwords doesn't really
> help him out all that much. (Likewise, for skipping dictionary
> attacks.) Plus, if you can't detect someone trying to sign in to an
> account over a billion times, you've got a much larger problem. :)
Good point :-) So has anyone here ever been the *victim* of BF attacks?
More information about the talk
mailing list