NYCPHP Meetup

NYPHP.org

[nycphp-talk] password strength enforcement

Adam Maccabee Trachtenberg adam at trachtenberg.com
Sun Apr 11 20:32:09 EDT 2004


On Sun, 11 Apr 2004, jon baer wrote:

> Just FYI, this is what is meant by "brute force" and you are right alot of
> *crackers* allow you to adjust the amount of digits which *must* appear in
> the password, BUT to prevent this type of cracking you do *not* want to
> publicize what your password policy is ... alot of signup forms make this
> terrible presumption that guys signing up to a form are legit people when in
> fact if you have an error message like:
>
> password:
> * must use 3 digits
> * must be 6 - 8 characters long (or max)
>
> You kinda give away alot of info :-)

I don't know. Do you really think it's better to make the user guess
through trial and error? If I was signing up for your site, I'd get
frustrated pretty quickly.

Besides, it's not that hard for a cracker to try a few sample
passwords and generalize what does and doesn't make it through your
filters.

The real purpose of enforcing these types of rules is to push your
passwords into a statespace large enough to make brute force attacks
computationally expensive. There are more potential passwords of
exactly six letters than there are of any number between one and five
letters combined!

So, letting a cracker know he can skip short passwords doesn't really
help him out all that much. (Likewise, for skipping dictionary
attacks.) Plus, if you can't detect someone trying to sign in to an
account over a billion times, you've got a much larger problem. :)

-adam

-- 
adam at trachtenberg.com
author of o'reilly's php cookbook
avoid the holiday rush, buy your copy today!



More information about the talk mailing list