[WikiEN-l] Please change your passwords.

[Gregory Maxwell]

On 5/7/07, Steve Summit <scs at eskimo.com> wrote:
> Gregory Maxwell wrote:
> > Most people given those restrictions type out letter patterns on the
> > keyboard. Cracking programs like john the ripper have rules systems
> > which predict such patterns with frightening accuracy.
>
> But those predictions are only useful if the attacker has
> unlimited login attempts.  If we're taking the step of asking
> users (and admins) to pick stronger passwords, we should
> absolutely at the same time be taking steps in software to
> detect repeated login failures and (a) lock out the account,
> (b) slow way down, and/or (c) notify the (real) user.

Doesn't work so well..  If it's a limit of "x per interval" the
attacker can just be patient, use many IPs and try many accounts. If
it's a limit of "x and then lockout" it's trivial to DOS accounts.

Don't get me wrong, we need to do both: have stronger passwords and
dampen attacks.

But what we should be telling people is:
"Use the longest pass*phrase* you can easily type. Common words are
okay as long as the phrase is unpredictable and long."

"mask omen boom irma smug tore" is a very strong password.
"I hate people in 1979- they wear big pantz" is also a strong password.

Yes, "gWXi$a09" is strong too, but when you try to tell people to use
passwords like that you get "10qpalz," which isn't strong.