[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Users Password



> I know. But something that maybe you don't know is that
> dictionary-based attacts can be extreme good in case
> you never asked your users to choose good passwords.
> Brute force attacs can also be quite good in case
> you have a lot of processor time.

Usually, bruteforcing passwords is not for the regular men.
Let's count how much it takes for 1000 passwords. Let's say we have
aplpanumeric characters and 10 punctuation chars - altogheres 72 chars.
72*72*72*72*72*72*72*72 is 722204136308736. Trying 1 million combinations
in second might take about 8358 days to find it all. This is worst 
case, though. You may expect first one in about 4 days, since all
passwords might be checked in parallel ;) Dicitionary attack may be more
efficient, but will never give 100% success.

Anyway, with calling by phone you may recover one password each 2-3
minutes, which is much better. ;) Using duplicate authentification with
warning and turning old method after some time would be yet better, and
ones who didn't bother still register in the new scheme will have to beg
you. ;)

Also, I remember that when it was yet another security breach in HUJI CS
system, sysadmins just forced every user to physically meet with admin and
re-register. You maybe do not wield so unlimited power on your users like
HUJI CS sysadmins do on students, however.
-- 
frodo@sharat.co.il	\/  There shall be counsels taken
Stanislav Malyshev	/\  Stronger than Morgul-spells
phone +972-2-6245112	/\  		JRRT LotR.
http://sharat.co.il/frodo/	whois:!SM8333