Comments on: Password Security Theater http://afewguyscoding.com/2012/02/password-security-theater/ Thoughts on computer science and software from [self] Thu, 05 Jan 2017 07:51:46 +0000 hourly 1 https://wordpress.org/?v=4.7.2 By: Jeff http://afewguyscoding.com/2012/02/password-security-theater/comment-page-1/#comment-2656 Tue, 23 Apr 2013 19:08:50 +0000 http://blog.afewguyscoding.com/?p=375#comment-2656 A couple of thoughts: One dictionary attack would be simply to try all the words. Pretty easy. If that fails, try all combinations of two words, and so on. With some case variance, that makes for pretty weak passwords–there are more words in the dictionary than letters in the alphabet, but it’s the exponent that counts, and N^x, where x<8 is weak. So you really do need to change the case of a few letters to make this better.

Second, lockouts are good, but one way hackers break passwords is to sneak in and grab the password file, and then have at it until it's broken. So, while lockouts are good, you're counting on the administrators never getting the file.

]]>
By: David Stites http://afewguyscoding.com/2012/02/password-security-theater/comment-page-1/#comment-1935 Sat, 11 Feb 2012 01:39:19 +0000 http://blog.afewguyscoding.com/?p=375#comment-1935 Francisco, thanks for the tip. I will definitely check out your whitepaper!

]]>
By: Francisco Corella http://afewguyscoding.com/2012/02/password-security-theater/comment-page-1/#comment-1933 Sat, 11 Feb 2012 01:01:11 +0000 http://blog.afewguyscoding.com/?p=375#comment-1933 Besides using a counter of consecutive failed attempts, which would be reset to 0 after a successful login, you may want to use a second counter of total, non-consecutive failed attempts and ask the user to change the password after it reaches a higher threshold, say 30. See Protecting a Multiuser Web Application against On-Line Password-Guessing Attacks.

]]>