On 5/7/07, Steve Summit scs@eskimo.com wrote:
Gregory Maxwell wrote:
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
But those predictions are only useful if the attacker has unlimited login attempts. If we're taking the step of asking users (and admins) to pick stronger passwords, we should absolutely at the same time be taking steps in software to detect repeated login failures and (a) lock out the account, (b) slow way down, and/or (c) notify the (real) user.
Doesn't work so well.. If it's a limit of "x per interval" the attacker can just be patient, use many IPs and try many accounts. If it's a limit of "x and then lockout" it's trivial to DOS accounts.
Don't get me wrong, we need to do both: have stronger passwords and dampen attacks.
But what we should be telling people is: "Use the longest pass*phrase* you can easily type. Common words are okay as long as the phrase is unpredictable and long."
"mask omen boom irma smug tore" is a very strong password. "I hate people in 1979- they wear big pantz" is also a strong password.
Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.