Passwords - 64 Characters, Changed Daily? 645
isepic writes "It seems over the past few years that the password requirements have changed - each time making it even more difficult to crack. My company just changed its password requirements from 180 days down to 90 for most servers and from a minimum of six characters up to eight. So, as parallel processing computer clusters gain in power according to Moore's law, how are we expected to change them in the next 2-10 years --- and how often?"
"Hopefully by then, there will be a better way, but I really don't want to have to change my password every 8 hours, and not be able to use the last 5 I've used, AND have them each be some awfully long and complex string of hard-to-remember ASCII codes just because a computer can crack a 32 char password in 10 seconds.
What are your thoughts? Do you think one day we'll be SOL, or do you think something 'better' may come (e.g. biometric scanners on every keyboard and or mouse and or monitor - etc.)"
Just do what I do (Score:5, Funny)
Re:Just do what I do (Score:5, Funny)
Re:Just do what I do (Score:3, Funny)
Re:Just do what I do (Score:3, Funny)
BTW, not everyone shares YOUR sense of humor.
In Soviet Russia, nostalgia jokes you.
Here goes my Karma.... (Score:4, Funny)
In Soviet Russia, time remembers you!
Re:Just do what I do (Score:3, Interesting)
Seems like the perfect place to advertise my open source Strong Password Generator [mytsoftware.com].
Re:Just do what I do (Score:4, Funny)
Re:Just do what I do (Score:3, Insightful)
Re:Just do what I do (Score:5, Insightful)
Frankly, I think the best bet is to encourage users to just select longish (>8 characters), complex password (no word substrings, more than just alphabetic characters, etc), but don't force them to change it. After all, brute-forcing a complex, 8-character password is still a fairly difficult process.
Re:Just do what I do (Score:5, Informative)
Universal sign-on systems such as Kerberos can help this, by encorcing decent password selection and then making it available everywhere without permitting re-use of that small set of passwords. But it's a bear to set up in a small or mixed environment.
Also, for the original article's point: the difficulty of cracking passwords goes up nominally as the exponent of the password length, the complexity of verifying them or encrypting with keys goes up linearly or maybe as N*logN with the length of the key. Selecting a long enough password, and system keys, to defeat this kind of brute force cracking is quite trivial to do. But getting it adopted, especially in the face of federal policies that prohibit the export of encryption technologies as a "material of war", has crippled encryption techniques for years.
Get the federal government out of that line of regulation and hardware based encryption to protect your logins from man-in-the-middle password sniffing will be quite cheap, even possible to incorporate as a part of common motherboards and network cards. Until then, though, we're going to have a real risk of people using the same password for years and having it sniffed and used by crackers.
Re:Just do what I do (Score:4, Insightful)
None of this helps of course if the user's system is breached and some sort of keyboard sniffer is active.
Re:Just do what I do (Score:3, Insightful)
Re:Just do what I do (Score:3, Informative)
APC masterswitches do that. Well, it locks you out after x attempts for x minutes.
It became a pain in the ass when some winner started trying to password scan one of the masterswitches. A machine went down, and everyone was locked out from it. They had just left the scanner running, so after the lockout time, it would get locked out again.
We moved them to a private network, and voila, everything works fine now.
People try to brute force so many various passwords, this seems like a really
Re:Just do what I do (Score:5, Funny)
That's amazing! I have the same combination on my luggage!
Re:Just do what I do (Score:3, Insightful)
Re:Just do what I do (Score:5, Informative)
Re:Just do what I do (Score:3, Interesting)
The boss's secretary was presented with the change password dialog one morning. It would not accept any of her desired new passwords.
I said "You can't use your son's name anymore". The look on her face was priceless. I was amazed too; I thought this sort of thing only happened on the TV.
The really sad thing is that a cleverly crafted spoofed email
Re:Just do what I do (Score:3, Insightful)
Re:Just do what I do (Score:5, Interesting)
As soon as I see at attempt to hack it, I would change it. Until then, I have a great password that my wife doesn't even know about. If someone tries to hack it on Wednesday, it doesn't matter that I changed it on Monday, or last year: It will still take more time to crack than will pass before I check the logs.
Re:Just do what I do (Score:3, Insightful)
Re:Just do what I do (Score:3, Insightful)
Yep, I don't think there is a need to change passwords until someone uses one to compromise your system: if you change passwords every 6 months, what are the chances that someone cracking it coincides with you changing it. If someone cracks your password they're going to use it immediately, not wait 6 months until you chan
Re:Just do what I do (Score:5, Informative)
Stastically, that is false for a one time event. If someone today is trying to break your 14 character password, it doesn't matter when you changed it.
And vacation? I check my servers every day on vacation. Only takes a few minutes to ssh in. Yes, its vacation, but I would rather check the logs for 5 minutes a day, than spend 7 days recovering from a fatal problem that might have been averted.
Re:Just do what I do (Score:3, Informative)
I was with you until the bold bit.
If you're allowed to change the number after the guess, then sure - it's impossible to guess. Otherwise if you've only allowed to change it between guesses, then the fact that I guess 517 right after you chose it means I win - regardless of how long it took to get
Re:Just do what I do (Score:3, Interesting)
Smart people are also the ones who ask questions like "Why are we doing this", while the dumb one say "Because we have always done it this way". Just because a smart person suggests something, that doesn't guarantee its a smart thing to do.
Forcing changes in passwords that guarantee that users will write the new password on post it notes on their monitors is not smart either. I know, I see it all the time, and the users simply do NOT get why this is dangerous
decent compromise between security and convenience (Score:3, Insightful)
Also, there are plenty of ways to have greater security than completely out-in-the-open Post-It notes with passwords. For guys, keeping the password list in a wallet, purse, or at least desk drawer that could be locked would at least add some physical security.
Actually, keeping the passwords on the monitor wouldn't be too bad if the passwords were obscured some way.
Re:decent compromise between security and convenie (Score:4, Interesting)
You mean those locking drawers where the key number is stamped on the lock?
I usually place a sticky note with a ramdom number of characters under my keyboard. It looks like a password, and may even BE someones password.
But it is not MY password and is it not close to my password. This entertains whoever is trying to break into my computer for hours....
Re:Just do what I do (Score:4, Interesting)
Re:Just do what I do (Score:3, Insightful)
Re:Just do what I do (Score:3, Interesting)
Those two are not necessarily related.
You can have easy to remember, well, relatively easy to remember, passwords that would be tough to crack.
My favorite approach is to create nonsense type phrases with some odd punctuation.
For example, something like:
I borrowed all the books from the library! and read them both.
or
An ultranet in a test tube is truly a fine thing to behold?
Or you could also take a favorite quote and modify it somewhat
How about pass phrases? (Score:3, Insightful)
Not necessarily. I mean depending on what the max character limit is he could be using pass-phrases. The password is becoming obselete and the pass-phrase will be the next step. That is if the next step isn't smart card keys, challenge response you can do on a PDA, etc.
Of course the pass-phrase has its flaws too like using famous quotes, but that could be screened out the same way common words are. There might be some side benefits to
Re:Just do what I do (Score:3, Insightful)
I agree with this, although the people enforcing the passwords should really be asking what level of security do they need. Forcing people to have the most complex passwords possible all the time encourag
Wallet = secure (Score:3, Insightful)
Someone I work with asked about how he should protect a key to a secured area, and the response was "How often do you lose your car or house keys? Keep it with those." I'd say the same applies to your wallet and keeping passwords in it, if worse comes to worse and you can't remember them.
Considering I've never lost my wall
Re:Just do what I do (Score:3, Funny)
Hold on, are you saying that the post-it note labled "network password" on my cubicle wall is insecure?
Re:Just do what I do (Score:3, Funny)
Re:Just do what I do (Score:3)
Much long ago, we had different passwords everywhere, which we forgot when IT guys were changed, and at least one ancient ERP system is still running with us not knowing the admin password. Its used for ref
Re:Just do what I do (Score:3, Interesting)
Re: Or what I do (Score:4, Interesting)
Use visual passwords rather than mnemonic ones. My standard-prescribed solution is to teach this to all new users; I set them next to a computer and give them some strips of coloured paper (not necessary but helpful with complete newbs). They'll get the gist fast and be able to be pretty savvy shortly -and changing a password is exceedingly easy.
Here's a visualization for the letter A starting from the key V: The plain password is: vgy7ujmh
Using alternate shift: VgY7UjMh or vGy&uJmH
This can easily be expanded to even more secure ones by adding more letters. A good scheme for variant passwords is to use something that identifies with the realm -for example for Slashdot, a password could be made from letters 'slash' (on a dvorak here, sorry):
qJkU.#4%kUp$xBjUy^fDbIxBmHf^7*xIy%mHg&f
Variation made easy. Try it.
Good news for hacker (Score:5, Funny)
Re:Good news for hacker (Score:5, Funny)
I doubt it - jokes are supposed to be funny.
Biometrics (Score:2)
Re:Biometrics (Score:5, Funny)
Re:Biometrics (Score:2)
Re:Biometrics (Score:3, Funny)
Holy great hell, I'd love to see the social engineer that can convince somebody to chop off a finger voluntarily. They would put Mitnick to shame!
Re:Biometrics (Score:3, Insightful)
"Scraped up my fingers this weekend in a bicycle accident, and the stupid scanner doesn't recognize me. Can you open the door for me?"
or
"'Contacts have been irritating my eyes lately so the damn machine won't validate, can you buzz me in?"
work just as well?
Re:Biometrics (Score:3, Informative)
No need for that. I saw a presentation at AsiaCrypt a couple of years ago where a guy sucessfully managed to create an artificial fingerprint good enough to fool pretty much all the commercial fingerprint scanners tested using only a fingerprint left begind on a glass, and pretty much commodity hardware (he did use one somewhat obscure device but that was still only a couple thousa
Re:Biometrics (Score:5, Insightful)
Re:Biometrics (Score:3, Interesting)
That is why it is better to use both: a good pass-phrase that you change from time to time, which is hashed together with your retinal scan, finger print, etc.
Re:Biometrics...only two thumbs (Score:2)
No, we need multi-element authentication systems that challenge users on more fronts. Tools like the ACE server, where you need you login, password and token number from a frob is a start. More work needs to be done on this problem, though.
ttyl
Farrell
Yeah right... (Score:4, Insightful)
Great.
One time use? (Score:5, Informative)
While you maintain a reasonably secure password you're not logging in without the token.
Use a CueCat (Score:5, Insightful)
Even if some one steals your :Cat, they can't get in, and if someone steals your copy of "Learning the VI Editor" that you've used for the barcode without stealing your :Cat, again they can't get in.
Re:Use a CueCat (Score:3, Interesting)
Heh heh... ironically, the CueCat wasn't exactly the height of security back in the day, and most Slashdotters who have one have probably long since removed the eeprom that transmitted the cat's real unique id.
Re:Use a CueCat (Score:3, Insightful)
Length & Considerations (Score:5, Funny)
You might want to [optionally] be able to use the first letter of each word as a "shorthand" password for re-verification moments, because typing in a 64+ character phrase everytime you lock your station could become tedious if you are away from your desk often.
Alternately, if you have a number of services at work that should have different password, some sort of secure password comparison tool could be employed to at least ensure that employees aren't using the same password for everything. Not sure about an architecture for that, though.
Pointless (Score:5, Insightful)
I can't see any good reason to change passwords frequently, other than to limit the damage done from a succesful intrusion. And then, is one month any worse than three months? All your data is 0wned regardless.
Re:Yes and No...Better solution:Assign the passwor (Score:5, Insightful)
There is so many things wrong with this that it is hard to know where to start. I'll just chose a couple.
First, forcing passwords on users is dumb. What might be an easy combination of words and number s for you to remember might be completely impossible for me to remember if the word means nothing to me. And if I can't remember I am going to write it down. It is much better to allow people to chose their own passwords to that they can make a combination that they can remember.
Second, accountability for your password goes out the window when someone else knows and controls the password. If the adminstrator knows all the passwords, they can logon as the user without the user knowing. Alternatively, the user can suggest that the administrator did the action which the user is being accused of.
More intelligent password checking rules is a much simpler and more effective solution.
frequency and plausable deniability (Score:2)
Delays (Score:2, Insightful)
just because a computer can crack a 32 char password in 10 seconds
And will all software in the future not have any kind of delay to prevent this sort of attack? Even now, we have login/ssh services that delay a couple of seconds between failed attempts.
Exponential growth problem (Score:5, Insightful)
There's nothing to worry about until quantum computers can handle problems like this AND are available by someone you don't want accessing your data.
Re:Exponential growth problem (Score:4, Interesting)
1) Trojan back-doors could be used to covertly do a distributed crack on a password. Thus you have to deal both with the exponential growth in processor power *and* the exponential growth of the internet. So Moore's law gets beat.
2) I find that about 8 characters is the best for my general security. If use 8 character passwords, I use a lot of mnemonic devices. An 8 character password can then contain shortened versions of two strings which are far longer and are more likely to contain non-alphanumeric characters (!,@, &, #, etc). If I get longer passwords, I tend to write out the phrases which although they tend to be in obscure languages still allow for an avenue of dictionary attack which might be otherwise difficult if I am using contractions.
IMO, the future of security is in public key authentication. In this model, you will carry with you a key AND have to provide somesort of passcode to unencrypt the key. This passcode could be biometric, passphrase-based, etc. They key can be lengthened transparently to the user so that they don't have to be aware of it, or replaced when lost.
Re:Exponential growth problem (Score:3, Insightful)
In any case, a truly random 8 character password is nearly impossible to guess. The problem is, most people don't pick passwords that just look like line noise. To crack yours, I might try 8 letter passwords, then 7 letters plus one symbol, etc. Still a daunting problem, but not *that* daunting.
What's the problem? (Score:2)
It's much harder to brute force crack a 11 character password than a 10 character and so on, so I don't really see the problem.
A good way to make it easy to remember without restorting to mangled ASCII is to pick the first letter in a sentence you know (or the two first... you get the idea). You can end it with some other code you know since before, and you're set.
Bad assumption (Score:5, Insightful)
This has been a process of incremental improvements - first crypt(), then shadow passwords, then MD5 hashes, and so on. We will certainly have something harder to crack in the future.
Re:Bad assumption (Score:5, Insightful)
About crypt() vs MD5, I don't think that they make much different when it comes to cracking actual passwords, all MD5 does is allow you to use longer passwords, it doesn't enforce it by any means. If your password is in a dictonary, no matter what hashing algo you use, I can brute force it in a few seconds.
The only advantage a good hashing algorithm provides is that it ensures that you can't from a given hash calculate back the original password by other means than brute force. Brute force, however, will always work, no matter what algorithm you use. The only way to make a more secure password, is to use a better password, a better hash algo won't help a damn.
SecureID (Score:2)
It isn't that hard.
Duh (Score:2)
As for passwords your average Joe six-pack/soccer mom is going to remember... they're easily cracked anyway, I fail to see what difference the future will bring.
Non-user-dependent security (Score:2)
Instead, you should be securing your system to prevent password lists being downloaded and to prevent multiple subsequent incorrect logins.
Secure your own system. Don't expect your users to do it for you.
Slow down, cowboy! (Score:2)
In order to crack a password you need to know the hashing formula and the expected result. If either is unknown then the only way to perform an attack (dictionary or otherwise) is to ask the protected service to validate each attempt. In that case, a simple time delay in the authentication procedure would stop most brute-force attacks. In *nix
Complex ever-changing passwords are easy (Score:2)
On my main box, where I log in often, the script never updates my password and the date is always set to the epoch, so I always use the same password. On boxes on which I log in infrequently, I have a small program to change the password every day, and I have to recalculate the password for the day.
The problem is the input device, not pass length (Score:2, Funny)
typing
kGNisksUI725K-{P#~iuiILl896&Tui@'p;p'HH
is going to be a pain in the ass for anyone if the input method is always going to be a qwerty keyboard...
on the other hand a 20 dollar mongrel dog that I feed every day will never mistake me for anyone else...
_electronic_ based biometrics however will completely suck
Cost of Passwords vs. Cost of Incursion (Score:3, Interesting)
Re:Cost of Passwords vs. Cost of Incursion (Score:3, Insightful)
No, nobody broke into the place. It's just that at 8am in the morning (when everybody's supposed to have shown up for work) stood myself (at that time, too new to have been issued keys) the summer intern (who will be never issued keys) and the sales rep (who thought he had been issued keys to open both the building and suite doors, but turns out to have been handed two building keys instead)... it'd fourty-five minutes before the
Normal users (Score:5, Interesting)
They still write them down, still 'share' (if somebody hasn't got access to a file share the other has, but he/she wants them to look at something - (they don't even *think* about the option to copy it to a public share to do it!) - then they give out passwords.
Plus normal users forget them after a few days of work anyway - I reset usually around 5 passwords Monday mornings after people had two days off work - plus average 10 a week afterwards on a user base of 150.
Anderson's formula. (Score:5, Informative)
T = N/(PG)
In this:
So, let's say you want only a 10% chance your password is guessed. And you estimate an attacker can perform 2,000,000 guesses per second with his drone army. The passwords are from an alphabet of 26 characters, and are a minimum of 4 characters long. That means... (tappity, tappity on the TI calculator)... Um, that means you'll be hacked instantly.
Read more on Anderson's formula by googling.
who uses passwords? (Score:2)
there are SO DAMNED MANY easy exploits that will get you root or admin, that you don't usually need passwords to crack into systems...
that said, there is still a balance to maintain. passwords like "password" are just lame and too easy... a good 6-8 character password with letters, numbers, other will keep anyone from guessing passwords at random.
but you still have to lock down your systems to keep out those pesky remote sploits.
(also, the best password in the w
Where I work... (Score:2)
myLittlePony24 They've been there at least 4 years
darthVaderRulez4 Newbie
What I don't like about all the new password rules like miniumum of 8 characters, must have a special character and a number, change ever X days, etc... is:
They ignore the social engineering aspect.
Walk around where I work after hours and after fun logging in as other people simply by reading the post-it notes stuck on
Moore's Law? (Score:2)
i prefer thumbdrives (Score:2)
It's all getting out of hand (Score:2)
There's just no foreseeable way that existing password systems can be used to maintain
makemeapassword.com (Score:5, Interesting)
makemeapassword.com [makemeapassword.com]
Forget biometrics and excessively long passwords (Score:2)
MD5 and SHA1 are just too fast. If a new hashing algorithm was used that took a second to compute rather than the microsecond or less that an MD5 hash takes, it would make brute-force or dictionary attacks on the password much much more difficult, but wouldn't really get in the way of people logging in - it's only a second.
Perhaps make it more user friendly.. (Score:5, Funny)
I don't see the problem at all! (Score:5, Funny)
Hmm (Score:4, Insightful)
The book stated near the very beginning that, basically, passwords are useless because the really secure ones are hard to remember, and that little problem causes people to do other things that mostly destroy the security of a "secure" password anyways (such as the infamous post-it note on the monitor).
The book's solution was fairly common-sense: implement different layers of security. That is to say, a password on its own is bad, but a token+password (say, USB memory stick with accesss code) can actually be a lot better.
The best stated was "bio+token+password". Seems reasonable to me, at least.
-Erwos
crack ratio (Score:3, Informative)
The *absolute* time taken to crack the password space is therefore a function of how long it takes to check a *single* password. This can be any length of time the password validation system wishes to implement (relative to a fixed processing resource).
There's no reason at all why passwords need to evolve to greater lengths as computers become faster. However, this inflation happens by default if the authentication system does not compensate by implementing constant time password validation as systems become faster.
A modern computer can validate a password in one microsecond that would have taken one millisecond back in the VAX days. This is one case where increased speed is not, in fact, a good thing.
Something you know, you have, and you are (Score:4, Interesting)
* Something you know (password or PIN)
* Something you have (badge or bank card)
* Something you are (thumbprint, hand scan, voice check)
This is how CounterPane security locks up its own colo facility. (Of course, they also tape everybody coming in, and there's a live guard who knows your face.)
Each of these components can be relatively weak, but in combination they are quite strong. For instance, you could probably let people choose any password they wanted as long as you required, say, their badge and a thumbprint to log on.
For backwards compatibility, write a macro that generates random strings of characters the maximum length accepted by the legacy system to which you must log on. Encrypt the list of passwords, and use the method above to decrypt the password archive as needed.
James
Re:Something you know, you have, and you are (Score:3, Informative)
Did you perhaps mean Bruce Schneier [schneier.com]? He would be more relevant to security than Bruce Perens [perens.com] is.
Moores law needn't require longer passwords... (Score:4, Interesting)
sweet someone should tell my company (Score:4, Interesting)
First off, the root password for the main application server is a straight alpha password that hasnt changed in about 5 years and is known by most of the operators and developers.
Second, there are trust relationships between most of the hardware in the company such that gaining root on one server effectively grants root on all of them.
Thirdly, many of the important infrastructure pieces (routers and stuff) have been given identical admin passwords that are well known (this was at least recently changed for the routers).
Fourth, much of the software we use to perform infrastructure functions is hopefully out of date, such that there are many published root level vulnerabilities for nearly every service running on our network.
And we are a medical device company under FDA regulation. No audit has ever turned up a single discrepency. How's that for reassuring?
Physical keys, baby (Score:3, Insightful)
Complex passwords for Simple Users (Score:3, Interesting)
This leads me to the conclusion though that there are probably much fewer intuituve keyboard patterns then there are characters in the passwords. If someone created a dictionary based on keyboard patterns, I expect that it would be a significant way to overcome a lot of complex passwords.
Live example (Score:3, Interesting)
Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:
* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously
In addition we encourage users to pick strong passwords:
Good Passwords contain:
* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!
Bad Passwords contain:
* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen
I recently conducted an audit using the excellent @stake LC5 [atstake.com]. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.
It got many "strong passwords" chosen using the above methodology which is similar to the previous post [makemeapassword.com]. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.
The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.
I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer [itconversations.com] and evidently vindictive successive OSX disclosure [securityfocus.com] campaign.
Re:Simple... (Score:4, Insightful)
The solution to the problem you are trying to solve is already in place on most systems, anyhow. When you fail to provide the correct password, you are punished by having to wait some amount of time (usually seems to be about 3 seconds). This way, instead of being able to test millions of combinations a minute, you can try 20. This way, your "friend" can't lock you out by typing your password wrong 3 times. Practical jokes are commonplace where I work.. don't need to make it easier on 'em..
Re:Simple... (Score:2, Offtopic)
Crap, I hate it when the typo is still correct English.. People read right through it and assume you're dumb instead of just not being able to type (or proofread).
Ah well.
Re:Simple... (Score:2, Informative)
The days when anyone on a system could just get all the encrypted passwords are long-gone. Getting encrypted passwords requires a root compromise these days. We not in the 90s anymore.
Re:Simple... (Score:5, Insightful)
generally you would sniff the datastream and try to crack that I imagine(because that's the only thing you could do).
(insecure software with flaws proves the biggest security problem for the foreseeable future anyways, there's always possibility of using single use passwords which are _already_ in use on sensitive/important systems)
Re:What about /etc/shadow? (Score:3, Informative)
This raises another good point, where if you're properly controlling the methods to access whatever it is you're protecting, you ca
MOD THIS GUY UP! (Score:4, Insightful)
That's the key here folks.
Passwords should only be used in circumstances where you can control the number of attempts.
If you CANNOT cut off access after N failed attempts, you should be using a full-fledged lots-of-bits crypto key. An example would be using PGP on an email.
A lot of people are looking at the situation in terms of Moore's law. Moore's law should have no effect on how many logins per minute you allow me to attempt. That is a config option.
In sort, it doesn't matter how fast your computer is. If ebay only lets you try 3 logins per minute, that's all you get.
If you're letting people try 1,000+ password per minute on your system, THAT's the problem, not that some guy only had a 6 character random password as opposed to 8.
So to sum up:
Passwords should not be used in case where somebody else is going to have >100 attempts to break it. At that point you should be using >1KB crypto keys.
This is not a password policy problem, it's human somewhere not understanding what passwords are good for.
Re:New (Bad) Idea (Score:3, Insightful)
Bad idea because of the obvious exploit... an attacker could DOS the entire user base in a handful of minutes by trying/failing each ID.
Of course, any BOFH might enjoy the "lockout the boss" feature included.
Interestingly, Lotus Domino uses a feature where as each attempt fails, the password prompt is delayed by a number of seconds. The delay increases exponentially, but never completely locks the user out. After a set period (minutes), the delay goes away and you start again. VERY effective in bloc
Re:Times change; don't fear. (Score:3, Insightful)
Oh, I think we should at least worry and speculate. When something new comes out in the future, it will only be because someone worried and/or speculated about how the current system can be changed or replaced.
Who do you think will be behind that change? At some point, someone will come up with an idea that will be the start of this new system. It could be a slashdot reader