Subject:
|
Re: Automated password appraisal (Re: New feature: Article rating)
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Fri, 31 Mar 2000 01:11:33 GMT
|
Highlighted:
|
(details)
|
Viewed:
|
4076 times
|
| |
|
|
In lugnet.admin.general, Larry Pieniazek writes:
> [...]
> Right now it might be that it's way too picky. It's flagging passwords that
> are reasonable. (elegant work, mind you, from a coding standpoint) If you
> eliminate too many passwords from the universe, you reduce the total set
> that brute force attack has to use (that is, if you ENFORCE that people
> can't have unsafe passwords you increase their safety a lot, but decrease
> everyone's safety marginally over all.)
>
> Food for thought.
Yum, yum! :-s
Well, ya gotta also figure that decreasing the safety margin from 100,000
to 1000 is one thing (bad -- and I don't think that's case here), but
decreasing it from, say, eleventeen hundred quintrillion down to fifty-seven
quintrillion is quite another thing. Is the latter truly hurtful in any
practical way? (I can't justify losing sleep over it. :)
It may be pickier than we'd like about the passwords that we can easily
think up, but according to my statistical tests, it doesn't really cut very
much into the set of all possible passwords. (One tenth of a gooberzillion
is still a gooberzillion.)
For example, even the set of all 6-character passwords (short), using
A-Z, a-z, 0-9, and - as the input set starts out with gooberzillion being
63^6 = 62,523,502,209 (62 US trillion) possibilities (a LOT). Enforcing
"good" passwords on this cuts out approximately 50% of the possibilities
(running on the current implementation). Is 50% a big deal? It sounds like
a lot. But it still leaves 31,261,751,104 (31 US trillion) possibilites.
Sounds pretty safe to me!
Looking at 5-character passwords, there are 63^5 = 992,436,543 (about 1 US
billion) possibilities using the same 63-character alphabet. Right now it's
failing about 99 out of 100 of those, which reduces the set of possibilities
to about 10 million. That's getting too low for comfort, so 5-character
passwords probably shouldn't be allowed. OTOH, increasing the alphabet to
include all 95 printable ASCII characters pumps up the set of possibilities
to 95^5 = 7,737,809,375 (7 US billion) and now it only fails about 3/4 of
those, leaving 2 US billion, give or take a hundred million.
I totally hear what you're saying -- and IMHO it's an extremely important
thing to bear in mind -- but from these results, and from some of the things
that people have been saying they've been trying, the only thing I can say
for sure is that I'd lose far more sleep not having a strict check in place.
Yes, it may give a false sense of security in certain extreme situations, but
overall I can't imagine not using it. The only question in my mind is whether
or not to automatically fail all 5-character pw's.
--Todd
|
|
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
