> That may not actually be such a bad password (on balance and in
> context). Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used). However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.
I second Martin's comment. There's no point in talking to users about
password selection if the application doesn't A) lock the account after X
number of failed attempts *AND* B) force password expiration/rotation.
There's a very basic mathematical formula found in the Department of Defense
Password Management Guideline[1] that can be used to calculate the risk
associated with any particular password policy versus brute force guessing.
Definitely required reading for anyone designing or specifying a password
authentication mechanism.
PaulM
[1]
http://www.fas.org/irp/nsa/rainbow/std002.htm-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F-------------------------------------------------------------------------
