On 4/21/05, Steve Holdoway wrote:
I read a rather good article from some at Mickey$oft about security. He suggested that you give up on the use of passwords altogether. Instead you should use a passphrase. Easy for you to remember, but at 30 or 40 characters, almost impossible to hack.
The bod at Microsoft missed the point. To carry out a brute-force attack, you need to know a user name, then guess the password. To attack a *nix system, I'd choose the user name "root".
An easy-to-remember form of password is alternate randomly-selected consonants and vowels, e.g. ricinodi. 8 chars made up of 4 consonants and 4 vowels gives 120e6 possibilities, which is rather a lot.
If the log-in mechanism allowed one log-in attempt per second, it would take almost 4 years to cover them. You might get lucky and crack it in a few months. But only if the log-in allowed one attempt per second indefinitely. So this is where Microsoft - and the open source community - can prevent brute-force attack - simply limit the rate at which attempts can be made.
======================================================================= This email, including any attachments, is only for the intended addressee. It is subject to copyright, is confidential and may be the subject of legal or other privilege, none of which is waived or lost by reason of this transmission. If the receiver is not the intended addressee, please accept our apologies, notify us by return, delete all copies and perform no other act on the email. Unfortunately, we cannot warrant that the email has not been altered or corrupted during transmission. =======================================================================
