RE: looking for a webapp bruteforce video for non-techies

["Paul Melson" <pmelson () gmail com>]

> That may not actually be such a bad password (on balance and in
> context).  Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used).  However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.

I second Martin's comment.  There's no point in talking to users about
password selection if the application doesn't A) lock the account after X
number of failed attempts *AND* B) force password expiration/rotation.
There's a very basic mathematical formula found in the Department of Defense
Password Management Guideline[1] that can be used to calculate the risk
associated with any particular password policy versus brute force guessing.
Definitely required reading for anyone designing or specifying a password
authentication mechanism.


PaulM

[1] http://www.fas.org/irp/nsa/rainbow/std002.htm


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------