From owner-freebsd-chat@FreeBSD.ORG Fri Aug 15 13:19:42 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B88E37B401 for ; Fri, 15 Aug 2003 13:19:42 -0700 (PDT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B0B243FAF for ; Fri, 15 Aug 2003 13:19:41 -0700 (PDT) (envelope-from underway@comcast.net) Received: from localhost.localdomain (12-230-74-101.client.attbi.com[12.230.74.101](untrusted sender)) by attbi.com (rwcrmhc12) with ESMTP id <20030815201940014003lod6e>; Fri, 15 Aug 2003 20:19:41 +0000 Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost.localdomain (8.12.9/8.12.9) with ESMTP id h7FKIXSE083788; Fri, 15 Aug 2003 13:18:38 -0700 (PDT) (envelope-from underway@comcast.net) Received: (from jojo@localhost) by localhost.localdomain (8.12.9/8.12.9/Submit) id h7FKIRWF083787; Fri, 15 Aug 2003 13:18:28 -0700 (PDT) (envelope-from underway@comcast.net) To: fcash@sd73.bc.ca References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov> <3F3C9E22.D24F3C0A@mindspring.com> <9ek79edgvu.79e@mail.comcast.net> <200308150934.57206.fcash@sd73.bc.ca> From: underway@comcast.net (Gary W. Swearingen) Date: Fri, 15 Aug 2003 13:18:27 -0700 In-Reply-To: <200308150934.57206.fcash@sd73.bc.ca> (Freddie Cash's message of "Fri, 15 Aug 2003 09:34:57 -0700") Message-ID: User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.1 (Cuyahoga Valley, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: chat@freebsd.org Subject: Re: password strength checking not consistently implemented X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2003 20:19:42 -0000 Freddie Cash writes: > On August 15, 2003 09:28 am, Gary W. Swearingen wrote: > >> (I guess it makes sense that "A. Hacker" WOULD try to discourage >> password strength checking. :) > > Actually, Mr. Hacker is advocating the use of strength checkers. Actually, he wasn't; he was being ironic -- to discourage it's use. > Consider the entire keyspace of all passwords. Now remove from that > keyspace all passwords that are less than 8 characters, are made up of > dictionary words, are all numbers, and so on. What you are left with > is a *much* smaller keyspace to brute force your way through. > > IOW, the strength checkers actually make it easier to crack the > passwords ... as there are fewer combinations to check against. > > This is assuming that the cracker knows which strength checker is being > used so they know which parts of the keyspace to drop. I think you've changed the subject from "crack [any] passwords" to "crack [all] passwords". Your claim is true on average for the "all passwords" case, since the brute force method will often have to be resorted to in that case, unless the password choosers are all morons. But if we're talking about a cracker finding any one of a large number of passwords chosen by careless users, then crackers will find their work easier if people don't use strength checkers. This the more typical case which I thought Mr. Hacker was concerned about. I can't speak for all strength checkers; I guess it's possible for them to reduce the "keyspace" too far, but I've seen no evidence that that's the case for typical checkers, and there's plenty of evidence that crackers use dictionaries and that password choosers are foolish. And if you're worried about someone brute forcing a reduced keyspace, you probably should be using something better than passwords.