An interesting read. They do a pretty good jerb of covering the related theory and math as well without getting too far off topic.tfa wrote:We find that traditional password advice given to users
is somewhat dated. Strong passwords do nothing to
protect online users from password stealing attacks such
as phishing and keylogging, and yet they place consid-
erable burden on users. Passwords that are too weak of
course invite brute-force attacks. However, we ¯nd that
relatively weak passwords, about 20 bits or so, are suf-
¯cient to make brute-force attacks on a single account
unrealistic so long as a \three strikes" type rule is in
place. Above that minimum it appears that increasing
password strength does little to address any real threat.
If a larger credential space is needed it appears better
to increase the strength of the userID's rather than the
passwords. For large institutions this is just as e®ective
in deterring bulk guessing attacks and is a great deal
better for users. For small institutions there appears
little reason to require strong passwords for online ac-
counts.
Do complex passwords actually accomplish anything?
Moderator: Moderators
-
complacent
- DCAWD Founding Member
- Posts: 11651
- Joined: Sun Aug 29, 2004 8:00 pm
- Location: near the rockies. very.
- Contact:
Do complex passwords actually accomplish anything?
Link to paper found here.
colin
a tank, a yammie, a spaceship
i <3 teh 00ntz
a tank, a yammie, a spaceship
i <3 teh 00ntz
-
sirwilliam
- Resident Poop Expert
- Posts: 7226
- Joined: Mon Aug 01, 2005 1:27 pm
- Location: The Wild Serengeti Suburbs
Re: Do complex passwords actually accomplish anything?
Thanks for the interesting read! 
2004 SG Model A PearlBlackObsidian (RIP)
2008 SG Model D BlueRallyWorld
"When I get sad, I stop being sad and be awesome instead. True story." -Barney Stinson
"Nothing shuts my pie-hole but pie." -Shawn Spencer
2008 SG Model D BlueRallyWorld
"When I get sad, I stop being sad and be awesome instead. True story." -Barney Stinson
"Nothing shuts my pie-hole but pie." -Shawn Spencer
-
Mr Kleen
- DCAWD Founding Member
- Posts: 15034
- Joined: Mon Apr 18, 2005 6:46 pm
- Location: Wiesbaden.DE
Re: Do complex passwords actually accomplish anything?
I'm going to forward the link to my work account and read this on the clock. 
-
chicken n waffles
- Moderator
- Posts: 6314
- Joined: Wed Oct 19, 2005 1:15 am
- Location: Alexandria
Re: Do complex passwords actually accomplish anything?
without having clicked the link yet (will do on the clock as well), does it address frequency of forced password changes regardless of complexity as it pertains to security?
-Ben
-
complacent
- DCAWD Founding Member
- Posts: 11651
- Joined: Sun Aug 29, 2004 8:00 pm
- Location: near the rockies. very.
- Contact:
Re: Do complex passwords actually accomplish anything?
not really. the article focuses mainly on how much data needs to be gathered to brute out a decent success rate and roughly what those figures are given a known passwords strength (6 vs 8 chars, complexity requirements, etc)chicken n waffles wrote:without having clicked the link yet (will do on the clock as well), does it address frequency of forced password changes regardless of complexity as it pertains to security?
colin
a tank, a yammie, a spaceship
i <3 teh 00ntz
a tank, a yammie, a spaceship
i <3 teh 00ntz
-
Libra Monkee
- Moderator
- Posts: 6478
- Joined: Wed Mar 29, 2006 11:04 pm
- Location: The Ether
- Contact:
Re: Do complex passwords actually accomplish anything?
Moved
-----------------------------------
This is a good read though. Basically saying that no matter how strong a password is, with today's technology all it takes to crack it is: time.
-----------------------------------
This is a good read though. Basically saying that no matter how strong a password is, with today's technology all it takes to crack it is: time.
Libra Monkee- "Helping DCAWD meet its Equal Opportunity requirement since 2006."