comment on

If however our hashes have not been disclosed, all of that is hypothetical. In that case, network bandwidth and the overhead of your application is the limiting factor when bruteforcing.

There are many well-known mechanisms for defeating front-of-house attacks that are far, far more effective than password rules:

Insert an obligatory 5 second delay between accepting the password and the acceptance/rejection.
Even with 1000 concurrent attack vectors, a minimal 4-char password of upper-case-alpha only will require 2 weeks on average to crack.
Start with a 1 second delay and double it after each failure.
Even a single character password will take an average of 1 year to find.
Require email contact after 3 failed attempts.
Possibly the most effective.

To guard against GPU bruteforcing of disclosed hashes, the only practical solution (as people can hardly be convinced to use different 20+ character passphrases everywhere) is key stretching. If you use so many hashing rounds your machine takes 100 ms to calculate a hash, that doesn't hurt you much

(To the emboldened bit): Actually, they can.

The simple fact is that using the same 20-char pass-phrase everywhere is far more secure than using a different 8 character passwords at each site. And far easier to remember than multiple passwords.

And, if the information was out there and people would take notice, coming up with a single, memorable pass-phrase is actually quite easy:

'the quick brown fox', 'every good boy deserves favour', 'nine eleven two thousand and one'. 'marge, bart, and lisa', 'red orange yellow green blue indigo violet', ...

Even if the hash of your one passphrase is disclosed somewhere, cracking will take so long you'll be dead before you are vulnerable on other sites.

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

The start of some sanity?

In reply to Re^7: Password strength calculation by BrowserUk
in thread Password strength calculation by cavac

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.