![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
When I started using computer networks in the early 90s, I had a six-character password. A few years later the recommendation was a minimum of eight characters, and be sure to mix it up with upper/lower-case, numbers, and maybe some punctuation.
Unfortunately way too many people still haven't even gotten that message; as a network administrator (who tries to avoid knowing people's passwords but somehow does anyway since they don't seem to care) I see some amazingly simple passwords.
Even more unfortunately, some software enforces less-than-good passwords by restricting the punctuation or the password length.
But with the guidelines of a decade ago, it's been generally assumed that brute-forcing a password would take many months at least. However, that assumed that the job would be done on a single CPU. Or possibly much faster on a massively-distributed network on CPUs, but that's still a lot of effort for a few passwords, and apparently less interesting or lucrative than searching for aliens or sending spam.
Who expected cracking a password to be done on a graphics card? In less than a week?
So basically the eight-character password has been cracked. But the 12-character password will still present a challenge for a while, even if you don't include the punctuation and numbers and all that.... though you still might be vulnerable to a dictionary attack if you're not careful.
Unfortunately way too many people still haven't even gotten that message; as a network administrator (who tries to avoid knowing people's passwords but somehow does anyway since they don't seem to care) I see some amazingly simple passwords.
Even more unfortunately, some software enforces less-than-good passwords by restricting the punctuation or the password length.
But with the guidelines of a decade ago, it's been generally assumed that brute-forcing a password would take many months at least. However, that assumed that the job would be done on a single CPU. Or possibly much faster on a massively-distributed network on CPUs, but that's still a lot of effort for a few passwords, and apparently less interesting or lucrative than searching for aliens or sending spam.
Who expected cracking a password to be done on a graphics card? In less than a week?
So basically the eight-character password has been cracked. But the 12-character password will still present a challenge for a while, even if you don't include the punctuation and numbers and all that.... though you still might be vulnerable to a dictionary attack if you're not careful.
geeky
(no subject)
(no subject)
I'm glad I managed a computer post that was engaging. I know half the time I write inscrutable stuff that nobody cares about.
(no subject)
Heh
Passwords are pretty much FAIL at this point. Security will need to move to tokens or biometrics for the serious stuff.
Re: Heh
However, using longer passwords (actually passphrases) is still viable. Enforcing 12 characters or more might be a starting point, and just saying "passphrase" rather than "password" might encourage people to think in longer terms. Even dictionary attacks are limited by long passwords.
Anyway, really serious stuff should already be using two-factor (or more) authentication, combining passwords with tokens and/or biometrics. Single-factor authentication hasn't been acceptible for serious stuff in a long time.
Re: Heh
Re: Heh
Anyway, salting the encrypted password is the key. As one security person put it bluntly regarding rainbow tables: No modern password scheme is vulnerable to them. Unix has had a "modern" scheme since 1976. Of course, Windows doesn't happen to have a modern password scheme.
And once again, long enough passphrases are key; the rainbow table has a finite length, and if it doesn't cover passphrases as long as yours, it can't crack your passphrase.
Re: Heh
But, most corporations run Windows (I use *nix, but still a lot of the major companies run on Windows). On top of that due to the proliferation of HyperActive Directory al lot of UNIX accounts now have uid/pwd in AD. Thus if you hack AD, you get all the UNIX passwords too. Ptacek is right, when talking about coding for websites, where your password scheme can be homemade and designed on sense.
As for length, I agree... my PGP passphrase has been in the double digits since I started using it. But even that is just a matter of time and technology. Salted passwords help, no doubt, securing anything important 2-factor is a must at this point, as you said. In fact, the PCI requirements for corporations now include 2-factor authentication.
Re: Heh
(no subject)
I mean, true it wouldn't work for login attempts that keep on changing usernames (unless you restricted by IP, but that is not practical for many uses), but I don't see those as being a problem as long as your number of users is sufficiently large.
(no subject)
(no subject)
How do they typically get it?
(no subject)
(no subject)
(no subject)
Second, you have to define "anyone". There are certainly holes that are unknown to the good guys, but known to the bad guys.
Also, going back to your earlier question, it's not always possible to limit the number of logins, depending on the protocol being used.