From owner-freebsd-chat@FreeBSD.ORG Sat Aug 16 10:24:10 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F16D37B401 for ; Sat, 16 Aug 2003 10:24:10 -0700 (PDT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCD2343F75 for ; Sat, 16 Aug 2003 10:24:09 -0700 (PDT) (envelope-from underway@comcast.net) Received: from localhost.localdomain (12-230-74-101.client.attbi.com[12.230.74.101](untrusted sender)) by attbi.com (rwcrmhc11) with ESMTP id <2003081617240901300meug4e>; Sat, 16 Aug 2003 17:24:09 +0000 Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost.localdomain (8.12.9/8.12.9) with ESMTP id h7GHMtSE087552; Sat, 16 Aug 2003 10:22:56 -0700 (PDT) (envelope-from underway@comcast.net) Received: (from jojo@localhost) by localhost.localdomain (8.12.9/8.12.9/Submit) id h7GHMn7d087551; Sat, 16 Aug 2003 10:22:49 -0700 (PDT) (envelope-from underway@comcast.net) To: Terry Lambert References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov> <3F3C9E22.D24F3C0A@mindspring.com> <9ek79edgvu.79e@mail.comcast.net> <3F3DD290.D237F6D2@mindspring.com> From: underway@comcast.net (Gary W. Swearingen) Date: Sat, 16 Aug 2003 10:22:49 -0700 In-Reply-To: <3F3DD290.D237F6D2@mindspring.com> (Terry Lambert's message of "Fri, 15 Aug 2003 23:43:28 -0700") Message-ID: <5d7k5dcyae.k5d@mail.comcast.net> User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.1 (Cuyahoga Valley, berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: chat@freebsd.org cc: Glenn Johnson Subject: Re: password strength checking not consistently implemented X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Aug 2003 17:24:11 -0000 Terry Lambert writes: > You're assuming that everyone uses dictionary attacks, which is > really not true these days. No, I was assuming that crackers COULD use dictionary attacks. I won't quote it again, but you clearly implied that it takes "a lot longer" to crack passwords in the absence of strength checking. Maybe that's true if YOU assume that crackers can't use dictionaries (though I still doubt if it takes "a lot" longer). But they can and would use dictionaries in the absense of strength checking and it would not take a lot longer to crack passwords. It would take less time, on average. This whole discussion breaks down eventually, because if crackers are taking account of strength checking, then they are using a form of dictionary attack. They are searching the keyspace starting with the most likely passwords, however crudely this is done. But maybe you meant to say that brute force methods are so good that they will always use brute force instead of dictionaries, whether or not the latter are sometimes faster. So we might as well allow all of the passwords to be "password", as long as our lack of strength checking "forces" crackers to search the whole keyspace so they wind up cracking fewer of them. That makes SOME sense, but people shouldn't be expected to be altruistic enough take on the risk that all those "password" passwords won't be exploited, maybe manually. > Actually, thanks to strength-checkers, most crackers have switched > to brute-force, since dictionary attacks no longer work. For some > definitions of "strength checking", they can also ignore the search > space where passwords contain all alphabetic characters. So convince me. What did you mean by "a lot longer"? For one password, are we talking a millisecond or a week or what? It it long enough for me to care how much longer it takes? Is it worth the risk of allowing passwords like "password"?