| |
Todd Lehman wrote:
> Here is why "1 - Lax" is in fact lax and not even remotely close to serious:
>
> 1. It passes terribly poor 4-character passwords such as "chow", "itso",
> and "frob", and in fact passes 90% of all 4-character randomly generated
> pw's using a linear distribution of the letters 'a' to 'z'. 26^4 =
> 456,976 (bad).
>
> 2. It passes 95% of all 4-character randomly generated pw's using a linear
> distribution of the letters a-z and the digits 0-9. 36^4 = 1,679,616
> (also bad).
>
> 3. It passes 99% of all 4-character randomly generated pw's using a linear
> distribution of the 95 printable ASCII characters. 95^4 = 81,450,625
> (still rather bad).
>
> It you believe that any of the above is not lax, then I would posit that you
> have at best a weak understanding of even the most basic statistical and
> mathematical issues related to pw cracking. (Sorry.)
Perhaps part of the problem is the relative weights attached to various
elements of strength of passwords. I would generally agree that a 4
character password should not be accepted (of course I suspect most of
us have a significant amount of money protected only by our physical
possesion of a plastic card, and a 4 DIGIT password - I at least chose
an 8 digit PIN the one time I was allowed to chose a PIN, but few ATM
systems these days allow anything other than a 4 digit PIN).
I'm not sure that boiling the strength of a password down to a single
number is the best way to go about it. Why not require a few things,
like minimum length, and let the other checking try and reject trivial
extensions of a short password into the minimum length.
However, you have spoken that this is the final word on Lugnet
passwords, follow-ups to lugnet.off-topic.debate if anyone cares to
continue discussion.
--
Frank Filz
-----------------------------
Work: mailto:ffilz@us.ibm.com (business only please)
Home: mailto:ffilz@mindspring.com
|
|
Message has 1 Reply:
 | | Re: PW validation terms/labels
|
| (...) For the average person or script kiddle to crack a 4-digit PIN via brute force, they'd have to: (1) first actually get someone's card; and then (2) manually try out up to 10,000 combinations, and IIRC, ATM's are programmed to eat cards after a (...) (25 years ago, 5-May-00, to lugnet.off-topic.debate)
|
Message is in Reply To:
| | Re: PW validation terms/labels
|
| (...) OK, fair enough. Labels gone. Just pure numbers in the drop-down list now. (...) The label covers (covered) what the setting allows in the worst-case. If you poke around enough (or, as I've done, run scripts internally that hammer on it to (...) (25 years ago, 5-May-00, to lugnet.admin.general)
|
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
This Message and its Replies on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
