On 5/7/07, Steve Summit <scs(a)eskimo.com> wrote:
Gregory Maxwell wrote:
Most people given those restrictions type out
letter patterns on the
keyboard. Cracking programs like john the ripper have rules systems
which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has
unlimited login attempts. If we're taking the step of asking
users (and admins) to pick stronger passwords, we should
absolutely at the same time be taking steps in software to
detect repeated login failures and (a) lock out the account,
(b) slow way down, and/or (c) notify the (real) user.
Doesn't work so well.. If it's a limit of "x per interval" the
attacker can just be patient, use many IPs and try many accounts. If
it's a limit of "x and then lockout" it's trivial to DOS accounts.
Don't get me wrong, we need to do both: have stronger passwords and
dampen attacks.
But what we should be telling people is:
"Use the longest pass*phrase* you can easily type. Common words are
okay as long as the phrase is unpredictable and long."
"mask omen boom irma smug tore" is a very strong password.
"I hate people in 1979- they wear big pantz" is also a strong password.
Yes, "gWXi$a09" is strong too, but when you try to tell people to use
passwords like that you get "10qpalz," which isn't strong.