There are many well-known mechanisms for defeating front-of-house attacks that are far, far more effective than password rules:

How so? Finding any password at all over the net if a dictionary attack doesn't work is a matter of sheer luck with astronomical odds against the attacker. At an utterly negligible disadvantage upon hash disclosure.

• Insert an obligatory 5 second delay between accepting the password and the acceptance/rejection.

Even with 1000 concurrent attack vectors, a minimal 4-char password of upper-case-alpha only will require 2 weeks on average to crack.

As the connections aren't doing anything else but wait for the response most of the time, it's not a problem for even a tiny botnet to open a lot more. And 26^4 is already about twice as much as my /usr/share/dict/words that includes a lot of rather obscure words---remember we're talking about dictionary attacks, not searching a whole keyspace of random combinations.

• Start with a 1 second delay and double it after each failure.
  Even a single character password will take an average of 1 year to find.
• Require email contact after 3 failed attempts.
  Possibly the most effective.

Effective for getting people DOSed out of their accounts, yes. And your company getting DOSed by a stampede of users on the support hotline.

Of course all of these are pretty pointless if the number of accounts to try is big enough so the attacker can just invert the game: instead of trying to find one particular account's password, use a spammer's address list and try to find the ones who've used one of the top 10 most frequent passwords.

Actually, they can (be convinced to use 20+ character passphrases)

The simple fact is that using the same 20-char pass-phrase everywhere is far more secure than using a different 8 character passwords at each site. And far easier to remember than multiple passwords.

And, if the information was out there and people would take notice, coming up with a single, memorable pass-phrase is actually quite easy:

Yes, I read this XKCD when it came out. The only problem is you got your grammatical moods mixed up: the information is out there (realis) so if people would take notice (conditional) they could be convinced, which sounds like conditional but as they don't take notice it's actually irrealis :)

All your passphrase examples are of course perfectly alright by Cracklib's criteria.

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.