in reply to Re^4: Password strength calculation
in thread Password strength calculation

They will try "dictionary" attacks first,

Why? When it takes 17 seconds to eliminate all the 6-character alphanumeric possibilities on a single gpu, you might as well run it anyway.

Unless you know for sure that you can exclude them, in which case, why not save a few cents.

Yes, a minimum length is a good idea, but 4, 6 or 8 simply isn't enough to make the slightest difference. You aren't even vaguely affecting anything until you get to at least 12-chars these days.

The more logical approach would be to exclude all known words (in all languages). But if the attacker knows you are doing it, you've still helped rather than hindered him.

In the end, any known restrictions simply help the attacker.

With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.

The start of some sanity?

Replies are listed 'Best First'.
Re^6: Password strength calculation
by JavaFan (Canon) on Jan 21, 2012 at 08:42 UTC
    Wait, you're saying disallowing people to pick passwords that an attacker can crack in 17 seconds helps an attacker?

    That's a logic I cannot phantom.

[reply]
      Wait, you're saying disallowing people to pick passwords that an attacker can crack in 17 seconds helps an attacker?

      Yes. It is 17 seconds of work he doesn't have to do.

      If don't have a length restriction, the majority of people will still use more than that and he has to look.

      If you do have a length restriction, he no longer has to.

      It's not much, but combine that with other restrictions and you are simply reducing the search space.

      That's a logic I cannot phantom.

      Sure you can.

      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.

      The start of some sanity?
[reply]
        If don't have a length restriction, the majority of people will still use more than that and he has to look.
        Sure, but security should work for everyone, not just the majority.

        Without a length restriction, a significant minority will pick short passwords. If there are 12 people that can access my credit card information, I'm not satisfied if the majority of them picks a long password. I rather want it enforced that all of them have a long password; I think that outweights the 17 seconds an attacker gains.

[reply]

In Section Seekers of Perl Wisdom