Date: Sat, 16 Aug 2003 10:22:49 -0700 From: underway@comcast.net (Gary W. Swearingen) To: Terry Lambert <tlambert2@mindspring.com> Cc: Glenn Johnson <gjohnson@srrc.ars.usda.gov> Subject: Re: password strength checking not consistently implemented Message-ID: <5d7k5dcyae.k5d@mail.comcast.net> In-Reply-To: <3F3DD290.D237F6D2@mindspring.com> (Terry Lambert's message of "Fri, 15 Aug 2003 23:43:28 -0700") References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov> <3F3C9E22.D24F3C0A@mindspring.com> <9ek79edgvu.79e@mail.comcast.net> <3F3DD290.D237F6D2@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert <tlambert2@mindspring.com> writes: > You're assuming that everyone uses dictionary attacks, which is > really not true these days. No, I was assuming that crackers COULD use dictionary attacks. I won't quote it again, but you clearly implied that it takes "a lot longer" to crack passwords in the absence of strength checking. Maybe that's true if YOU assume that crackers can't use dictionaries (though I still doubt if it takes "a lot" longer). But they can and would use dictionaries in the absense of strength checking and it would not take a lot longer to crack passwords. It would take less time, on average. This whole discussion breaks down eventually, because if crackers are taking account of strength checking, then they are using a form of dictionary attack. They are searching the keyspace starting with the most likely passwords, however crudely this is done. But maybe you meant to say that brute force methods are so good that they will always use brute force instead of dictionaries, whether or not the latter are sometimes faster. So we might as well allow all of the passwords to be "password", as long as our lack of strength checking "forces" crackers to search the whole keyspace so they wind up cracking fewer of them. That makes SOME sense, but people shouldn't be expected to be altruistic enough take on the risk that all those "password" passwords won't be exploited, maybe manually. > Actually, thanks to strength-checkers, most crackers have switched > to brute-force, since dictionary attacks no longer work. For some > definitions of "strength checking", they can also ignore the search > space where passwords contain all alphabetic characters. So convince me. What did you mean by "a lot longer"? For one password, are we talking a millisecond or a week or what? It it long enough for me to care how much longer it takes? Is it worth the risk of allowing passwords like "password"?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d7k5dcyae.k5d>