NYCPHP Meetup

NYPHP.org

[nycphp-talk] password strength enforcement

felix zaslavskiy felix at bebinary.com
Mon Apr 12 02:12:00 EDT 2004


>> The real purpose of enforcing these types of rules is to push your
>> passwords into a statespace large enough to make brute force attacks
>> computationally expensive. There are more potential passwords of
>> exactly six letters than there are of any number between one and five
>> letters combined!

More sensible way of preventing brute force password attack is to prevent
someone from automating trying all the password possibilities.  Unix like
login program has always had backoffs. It would be tricky to implement in
web environment. The shortcut that I seen web apps take is just lock out
the ip for a day after couple of tries. I think that solution is not ideal
because sometimes someone may not exactly remember the password but has
mental picture of it and may get it after maybe even 10 tries.

>
> While Im not a cryptology expert, nor do I play one on TV (or probably
> shouldnt even comment ), I think brute force attacks on todays PCs will
> defeat alot of well thought out apps ... and you are going to be relying
Crypto is the art of scrabling bits so that one cant figure out the
original message without the key. Application security is an engineering
discipline of writing secure application under which the password issue
falls. Remember brute force is only possilbe if the advesary can actually
performe many tests in an automated way. In the web environment this
attack will generate millions of hits to the login page which any good sys
admin should be able to spot eventually.

-- 
Felix Zaslavskiy
http://www.zaslavskiy.net



More information about the talk mailing list