Re: Password policy publication

["Shalla, Kevin" <kshalla () UIC EDU>]

So the systems are not configured to lock an account after a certain
number of failed password attempts?  Isn't brute force by definition dumb,
and it doesn't try just common passwords (and so try billions of
passwords)?  Or maybe brute-force is smarter now, and first does a
dictionary attack, then uses strings containing the username, etc..  But
still, isn't it going to try hundreds, if not thousands of passwords?

On Tue, October 28, 2008 9:32 am, Roger Safian wrote:
> At 09:26 AM 10/28/2008, Shalla, Kevin put fingers to keyboard and wrote:
> > Doesn't this require stealing the password file, so that you can run the
> > brute-force attack?  Or are we protecting from sysadmins who already have
> > access to the password file?
>
> Not really...I've seen brute force attempts many times in my logs.
> You just try common passwords, and hope for the best.