[Discuss] Most common (or Most important) privacy leaks

[bogstad at pobox.com (Bill Bogstad)]

On Wed, Feb 18, 2015 at 4:15 AM, Richard Pieri <richard.pieri at gmail.com> wrote:
> So. Someone replied directly to me instead of the list suggesting that
> character length is an important factor in password security.
>
> Letter count is a pointless factor in password security. "Four score and
> seven years ago" is 30 characters and still trivially vulnerable to
> dictionary attacks. "We hold these truths to be self-evident" is 40
> characters and it is just as weak as the first example.
>
> Password reform starts with abandoning password rules and policies. Rules
> and policies are bad. Every policy that you enforce makes it easier for
> attackers to analyze passwords. If you have a policy that enforces a 15
> character minimum then an attacker knows to ignore everything that is 14 or
> fewer characters, and given human nature he can ignore everything over about
> 20 characters for most passwords. If you have a policy that enforces the use
> of at least one number then an attacker has 9 known possible plaintexts in
> every password. At least one capital letter is 26 known possible plaintexts.
> And so forth.

The problem with this that if you don't enforce a minimum length on passwords
a significant number of your users will use something that is probably less than
6 characters long.   Of course, many of those would fall to a
dictionary attack as well.
And the same users are going to use "Four score ...." if you require
longer passwords,
 so you lose anyway.

Bill Bogstad