Educause Security Discussion mailing list archives
Re: Password Complexity and Aging
From: Mike Waller <mwaller.distro () GMAIL COM>
Date: Tue, 14 Apr 2009 00:15:07 -0400
You can also help fight brute force attacks with counters that lock the account for a short period of time after a certain number of failed attempts. These locks won't eliminate the possibility of brute force, but now you've made the attacker stop trying for 5-15 minutes every 5-10 failed attempts. Do the math on that and most sane attackers are going to look elsewhere. All of these things are just pieces of defense in depth. In a security-only world where productivity and convenience had no place, we'd all have massively complex passwords that changed with each login. In the real world, we find the right mix of compromises for our environments. We make the passwords "strong enough", we change them "often enough", we lock them up after "enough" failed attempts. Ultimately, you're adding the controls together until you get to a point where you have "enough" protection to cover your risk tolerance. On Mon, Apr 13, 2009 at 11:18 PM, Basgen, Brian <bbasgen () pima edu> wrote:
brute force attack against passwords CAN't be stopped if the attacker isgiven unlimited time and thatlong passwords that change frequently are a proper and effective defenseagainst that activity. Brute force can be effectively mitigated through strong entropy without any change frequency requirement. 72-bit strength has not been publicly cracked, and it is widely accepted that 128-bits is such a massive key space that a revolution in processing (e.g. quantum computing) would be required to brute force it. Moore's law just can't compete against the ease with which key lengths can be increased. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Current thread:
- Re: Password Complexity and Aging, (continued)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Lucas, Bryan (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging David L. Wasley (Apr 13)
- Re: Password Complexity and Aging Mclaughlin, Kevin (mclaugkl) (Apr 13)
- Re: Password Complexity and Aging Russell Fulton (Apr 13)
- Re: Password Complexity and Aging Morrow Long (Apr 13)
- Re: Password Complexity and Aging Basgen, Brian (Apr 13)
- Re: Password Complexity and Aging Mike Waller (Apr 13)
- Re: Password Complexity and Aging Chad McDonald (Apr 14)
- Re: Password Complexity and Aging Doug Markiewicz (Apr 14)
- Re: Password Complexity and Aging Dexter Caldwell (Apr 14)
- Re: Password Complexity and Aging Perloff, Jim (Apr 30)
- Re: Password Complexity and Aging Valdis Kletnieks (Apr 30)
- Re: Password Complexity and Aging Vedda, Michael (Mike) (Apr 30)
- Re: Password Complexity and Aging randy marchany (Apr 30)
- Re: Password Complexity and Aging Zach Jansen (Apr 30)
- Re: Password Complexity and Aging HALL, NATHANIEL D. (Apr 30)