On Thu, Aug 18, 2011 at 2:16 PM, Hilderbrand, Doug
<[email protected]> wrote:
> ... short and complex versus long password issue. I use long teens and
> twenties
> long character passwords at work with upper/lower case, numbers and
> punctuation.
Broadly speaking, increasing the size of a password is usually more
useful than increasing the complexity (entropy per character). There
are multiple things at work: Humans generally find it easier to
remember words than characters. Brute force, rainbow tables,
dictionaries, and other such attacks increase in cost as you increase
overall length. Combine the two and length is the winner. You also
have various algorithmic accidents (such as the infamous NTLM two-part
password hash thing) that usually mean longer is better in the event
of a compromised hash.
> If guessing a password doesn’t work, brute force is all that’s left.
There are quite a few different ways to attack passwords.
* Universally common passwords ("password", "12345", etc.)
* Common password patterns (dates, SSNs, etc.)
* Target related (if the site is Yoyodyne, try "yoyodyne")
* User related (try user's favorite car, local sports team, etc.)
* Various common word lists (words from popular fiction, computers, profanity)
* English words in general
* Steal passwords for another site and try them elsewhere
* Man-in-the-middle
* Compromise the user's computer and sniff keystrokes
* Compromise the user's password vault
* Compromise the security of the target system
* Bribe people who work at the target entity
* Drug the user and hit him with a $5 wrench until he tells you the password
* Brute force (try every possible password, in sequential order)
And those are just the most ones I could think of right now. :)
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
