NYCPHP Meetup

NYPHP.org

[nycphp-talk] password strength enforcement

Allen Shaw ashaw at iifwp.org
Mon Apr 12 16:39:39 EDT 2004


You know it seems like all this must have surely been discussed hundreds of
times by other people, maybe even by us, before.  Wouldn't this all be
somewhat generally understood by now, and maybe even written down in some
reliable source?  I've found lots of "advice" on good password policy, but
nothing that claimed or seemed to be vaguely authoritative.  Are there just
too many variables to generalize about, or maybe people aren't interested in
really understanding the issue?

- Al

----- Original Message ----- 
From: "Adam Maccabee Trachtenberg" <adam at trachtenberg.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Sunday, April 11, 2004 8:32 PM
Subject: Re: [nycphp-talk] password strength enforcement


> On Sun, 11 Apr 2004, jon baer wrote:
>
> > Just FYI, this is what is meant by "brute force" and you are right alot
of
> > *crackers* allow you to adjust the amount of digits which *must* appear
in
> > the password, BUT to prevent this type of cracking you do *not* want to
> > publicize what your password policy is ... alot of signup forms make
this
> > terrible presumption that guys signing up to a form are legit people
when in
> > fact if you have an error message like:
> >
> > password:
> > * must use 3 digits
> > * must be 6 - 8 characters long (or max)
> >
> > You kinda give away alot of info :-)
>
> I don't know. Do you really think it's better to make the user guess
> through trial and error? If I was signing up for your site, I'd get
> frustrated pretty quickly.
>
> Besides, it's not that hard for a cracker to try a few sample
> passwords and generalize what does and doesn't make it through your
> filters.
>
> The real purpose of enforcing these types of rules is to push your
> passwords into a statespace large enough to make brute force attacks
> computationally expensive. There are more potential passwords of
> exactly six letters than there are of any number between one and five
> letters combined!
>
> So, letting a cracker know he can skip short passwords doesn't really
> help him out all that much. (Likewise, for skipping dictionary
> attacks.) Plus, if you can't detect someone trying to sign in to an
> account over a billion times, you've got a much larger problem. :)
>
> -adam
>
> -- 
> adam at trachtenberg.com
> author of o'reilly's php cookbook
> avoid the holiday rush, buy your copy today!
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk




More information about the talk mailing list