Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Re: Password Generation and Module Multiplication

by CountZero (Bishop)
on Nov 23, 2010 at 16:45 UTC ( #873256=note: print w/ replies, xml ) Need Help??


in reply to Password Generation and Module Multiplication

What all these password complexity rules do is to actually reduce the set of possible passwords by several orders of magnitude and thereby make brute force attacks many times easier.

The only way to avoid users using easy to guess passwords (their user name, or date of birth, or ...) is to not allow them to choose their own password but provide them with a random password they have to use. For real security, you cannot trust the user to come up with a strong password.

As far as a computer security is concerned "ADAM" is as good a password as "uhulhbjGKVOILHS885AS72JGHS65G33".

Just by spelling out the complexity rules of the password,you have made it hackers soo much easier. The only good rule as far as security is concerned is "there are no rules, other than 'throw some random characters together'.

CountZero

A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James


Comment on Re: Password Generation and Module Multiplication
Re^2: Password Generation and Module Multiplication
by raybies (Chaplain) on Nov 24, 2010 at 13:29 UTC
    Not to mention you can't remember strong passwords so you tend to write them down. I once had to generate a password for some military app that was so bad, it had to be some 20+ characters without any common words, nor could you use common numbers and symbols inplace of letters, so a password like, "P@$$W0rd" wouldn't work. I ended up writing it down somewhere... in my own special code I made up so as to confuse anyone who saw it (mostly inspectors who will write you up if they find passwords written on papers glued to monitors).
      Yes, that is absolutely the downside of strong random passwords: nobody can remember them, therefore writes them up on a piece of paper and then tapes that to his/her monitor!

      As soon as you write something fool-proof, along comes a better fool.

      CountZero

      A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

Re^2: Password Generation and Module Multiplication
by ysth (Canon) on Nov 28, 2010 at 08:11 UTC

    Brute force attacks against a single password, granted.

    But without complexity rules, a letter-only brute force attack or rainbow table attack against a list of hashed passwords will too easily pick off the lazy users. I'd assume the complexity rules are really designed to protect against this case.

    --
    A math joke: r = | |csc(θ)|+|sec(θ)|-||csc(θ)|-|sec(θ)|| |
    Online Fortune Cookie Search
    Office Space merchandise

      That, basically, is the case.   The number-one most often used password is:   password.   Close behind them are:   enter, secret.

      Nevertheless, it doesn’t work.   Enforcing complex password-rules simply causes more passwords to be written down.   When a system is broken into, it usually is not from “forcing” a password.   There are too many “other” ways into a complex system.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://873256]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (11)
As of 2014-07-30 15:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (235 votes), past polls