Page 1 of 1
Do complex passwords actually accomplish anything?
Posted: Wed Jul 15, 2009 11:36 am
by complacent
Link to paper found
here.
tfa wrote:We find that traditional password advice given to users
is somewhat dated. Strong passwords do nothing to
protect online users from password stealing attacks such
as phishing and keylogging, and yet they place consid-
erable burden on users. Passwords that are too weak of
course invite brute-force attacks. However, we ¯nd that
relatively weak passwords, about 20 bits or so, are suf-
¯cient to make brute-force attacks on a single account
unrealistic so long as a \three strikes" type rule is in
place. Above that minimum it appears that increasing
password strength does little to address any real threat.
If a larger credential space is needed it appears better
to increase the strength of the userID's rather than the
passwords. For large institutions this is just as e®ective
in deterring bulk guessing attacks and is a great deal
better for users. For small institutions there appears
little reason to require strong passwords for online ac-
counts.
An interesting read. They do a pretty good jerb of covering the related theory and math as well without getting too far off topic.
Re: Do complex passwords actually accomplish anything?
Posted: Wed Jul 15, 2009 12:21 pm
by sirwilliam
Thanks for the interesting read!
Re: Do complex passwords actually accomplish anything?
Posted: Wed Jul 15, 2009 4:58 pm
by Mr Kleen
I'm going to forward the link to my work account and read this
on the clock.
Re: Do complex passwords actually accomplish anything?
Posted: Thu Jul 16, 2009 6:58 am
by chicken n waffles
without having clicked the link yet (will do on the clock as well), does it address frequency of forced password changes regardless of complexity as it pertains to security?
Re: Do complex passwords actually accomplish anything?
Posted: Thu Jul 16, 2009 9:47 am
by complacent
chicken n waffles wrote:without having clicked the link yet (will do on the clock as well), does it address frequency of forced password changes regardless of complexity as it pertains to security?
not really. the article focuses mainly on how much data needs to be gathered to brute out a decent success rate and roughly what those figures are given a known passwords strength (6 vs 8 chars, complexity requirements, etc)
Re: Do complex passwords actually accomplish anything?
Posted: Thu Jul 16, 2009 10:17 am
by Libra Monkee
Moved
-----------------------------------
This is a good read though. Basically saying that no matter how strong a password is, with today's technology all it takes to crack it is: time.