[Discuss] password strength
Richard Pieri
richard.pieri at gmail.com
Mon Jul 29 13:00:18 EDT 2013
Tom Metro wrote:
> Entropy calculations can be very misleading, as the things that make a
> password easy to remember also make it much easier to guess. Password
There's a huge misdirection in that Ars article that you cite. It
presumes that the attacker has the password database. Fact is, if an
attacker can get the entire password database, such as with the Ubuntu
Forums compromise, then it doesn't matter how strong your password is.
The only limit to what an attacker can do in that situation is how much
computing power he can throw at it. The only protection users have
against this is not reusing passwords so that one compromised account
does not lead to others. Password variety trumps password strength.
In practice, such attacks are effectively useless against web sites and
the like when users have reasonably strong passwords. It does not matter
how much computing power you have. You can't throw precomputed hashes
(rainbow tables) at a web site. And you're not going to get 1000 brute
force or dictionary guesses per second against Google or Facebook. The
recent Club Nintendo compromise -- which was effected with precisely
this kind of attack -- was ~15 million attempts over 35 days. That's
about 12 attempts per second.
--
Rich P.
More information about the Discuss
mailing list