[Discuss] Most common (or Most important) privacy leaks
Bill Bogstad
bogstad at pobox.com
Wed Feb 18 11:20:30 EST 2015
On Wed, Feb 18, 2015 at 4:15 AM, Richard Pieri <richard.pieri at gmail.com> wrote:
> So. Someone replied directly to me instead of the list suggesting that
> character length is an important factor in password security.
>
> Letter count is a pointless factor in password security. "Four score and
> seven years ago" is 30 characters and still trivially vulnerable to
> dictionary attacks. "We hold these truths to be self-evident" is 40
> characters and it is just as weak as the first example.
>
> Password reform starts with abandoning password rules and policies. Rules
> and policies are bad. Every policy that you enforce makes it easier for
> attackers to analyze passwords. If you have a policy that enforces a 15
> character minimum then an attacker knows to ignore everything that is 14 or
> fewer characters, and given human nature he can ignore everything over about
> 20 characters for most passwords. If you have a policy that enforces the use
> of at least one number then an attacker has 9 known possible plaintexts in
> every password. At least one capital letter is 26 known possible plaintexts.
> And so forth.
The problem with this that if you don't enforce a minimum length on passwords
a significant number of your users will use something that is probably less than
6 characters long. Of course, many of those would fall to a
dictionary attack as well.
And the same users are going to use "Four score ...." if you require
longer passwords,
so you lose anyway.
Bill Bogstad
More information about the Discuss
mailing list