Date: Fri, 15 Aug 2003 13:18:27 -0700 From: underway@comcast.net (Gary W. Swearingen) To: fcash@sd73.bc.ca Cc: chat@freebsd.org Subject: Re: password strength checking not consistently implemented Message-ID: <k2fzk2d698.zk2@mail.comcast.net> In-Reply-To: <200308150934.57206.fcash@sd73.bc.ca> (Freddie Cash's message of "Fri, 15 Aug 2003 09:34:57 -0700") References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov> <3F3C9E22.D24F3C0A@mindspring.com> <9ek79edgvu.79e@mail.comcast.net> <200308150934.57206.fcash@sd73.bc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Freddie Cash <fcash@sd73.bc.ca> writes: > On August 15, 2003 09:28 am, Gary W. Swearingen wrote: > >> (I guess it makes sense that "A. Hacker" WOULD try to discourage >> password strength checking. :) > > Actually, Mr. Hacker is advocating the use of strength checkers. Actually, he wasn't; he was being ironic -- to discourage it's use. > Consider the entire keyspace of all passwords. Now remove from that > keyspace all passwords that are less than 8 characters, are made up of > dictionary words, are all numbers, and so on. What you are left with > is a *much* smaller keyspace to brute force your way through. > > IOW, the strength checkers actually make it easier to crack the > passwords ... as there are fewer combinations to check against. > > This is assuming that the cracker knows which strength checker is being > used so they know which parts of the keyspace to drop. I think you've changed the subject from "crack [any] passwords" to "crack [all] passwords". Your claim is true on average for the "all passwords" case, since the brute force method will often have to be resorted to in that case, unless the password choosers are all morons. But if we're talking about a cracker finding any one of a large number of passwords chosen by careless users, then crackers will find their work easier if people don't use strength checkers. This the more typical case which I thought Mr. Hacker was concerned about. I can't speak for all strength checkers; I guess it's possible for them to reduce the "keyspace" too far, but I've seen no evidence that that's the case for typical checkers, and there's plenty of evidence that crackers use dictionaries and that password choosers are foolish. And if you're worried about someone brute forcing a reduced keyspace, you probably should be using something better than passwords.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?k2fzk2d698.zk2>