On Wed, Feb 18, 2015 at 4:15 AM, Richard Pieri <[email protected]> wrote: > So. Someone replied directly to me instead of the list suggesting that > character length is an important factor in password security. > > Letter count is a pointless factor in password security. "Four score and > seven years ago" is 30 characters and still trivially vulnerable to > dictionary attacks. "We hold these truths to be self-evident" is 40 > characters and it is just as weak as the first example. > > Password reform starts with abandoning password rules and policies. Rules > and policies are bad. Every policy that you enforce makes it easier for > attackers to analyze passwords. If you have a policy that enforces a 15 > character minimum then an attacker knows to ignore everything that is 14 or > fewer characters, and given human nature he can ignore everything over about > 20 characters for most passwords. If you have a policy that enforces the use > of at least one number then an attacker has 9 known possible plaintexts in > every password. At least one capital letter is 26 known possible plaintexts. > And so forth.
The problem with this that if you don't enforce a minimum length on passwords a significant number of your users will use something that is probably less than 6 characters long. Of course, many of those would fall to a dictionary attack as well. And the same users are going to use "Four score ...." if you require longer passwords, so you lose anyway. Bill Bogstad _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
