Re: Password Complexity and Aging

[Mike Waller <mwaller.distro () GMAIL COM>]

You can also help fight brute force attacks with counters that lock the
account for a short period of time after a certain number of failed
attempts. These locks won't eliminate the possibility of brute force, but
now you've made the attacker stop trying for 5-15 minutes every 5-10 failed
attempts. Do the math on that and most sane attackers are going to look
elsewhere.

All of these things are just pieces of defense in depth. In a security-only
world where productivity and convenience had no place, we'd all have
massively complex passwords that changed with each login. In the real world,
we find the right mix of compromises for our environments. We make the
passwords "strong enough", we change them "often enough", we lock them up
after "enough" failed attempts. Ultimately, you're adding the controls
together until you get to a point where you have "enough" protection to
cover your risk tolerance.

On Mon, Apr 13, 2009 at 11:18 PM, Basgen, Brian <bbasgen () pima edu> wrote:

> > brute force attack against passwords CAN't be stopped if the attacker is
> given unlimited time and that
> > long passwords that change frequently are a proper and effective defense
> against that activity.
>
> Brute force can be effectively mitigated through strong entropy without any
> change frequency requirement. 72-bit strength has not been publicly cracked,
> and it is widely accepted that 128-bits is such a massive key space that a
> revolution in processing (e.g. quantum computing) would be required to brute
> force it. Moore's law just can't compete against the ease with which key
> lengths can be increased.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College