|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Re[2]: password aging
Ryan Russell (ryanr
sybase.com)
Wed, 2 Sep 1998 16:17:16 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Ben: "Re: New one: Securing an HTTP server"
- Previous message: Stout, Bill: "Penetration testing via shrinkware"
- Next in thread: Michael Shields: "Re: Re[2]: password aging"
- Reply: Michael Shields: "Re: Re[2]: password aging"
This occured to me as well. The obvious counter-argument
is that (assuming that it doesn't just generate them, but
forces them on people, and they can't pick their own) this
eliminates the much more stupid choices people will make
if given an opportunity.
It's probably not really fair to compare 18 million choices
with 309 million. It's more realistic to compare 18 million
with 50,000. This assumes a list of hashes that represent
some representative size group of people.
Of course, it's all moot, since many implementations would
have the worst of all possible worlds... FIPS generated passwords
that the user writes on a sticky, or manually changes to
"password." :)
Seriously though... 18 million to choose from, if the user
isn't allowed to pick their own, is a big improvement
over people being able to choose from the dictionary.
Ryan
Section 2.4 cites that the algorithm is capable of producing
"approximately 18 million 6-character" passwords; compare this with
the set of 309 million lowercase 6-character passwords, and we see
that the lack of entropy in the output has reduced the search space to
about 5% of it's original size.
- Next message: Ben: "Re: New one: Securing an HTTP server"
- Previous message: Stout, Bill: "Penetration testing via shrinkware"
- Next in thread: Michael Shields: "Re: Re[2]: password aging"
- Reply: Michael Shields: "Re: Re[2]: password aging"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT