WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: looking for a webapp bruteforce video for non-techies

From: "Robin Wood" <dninja () gmail com>
Date: Tue, 3 Jun 2008 17:08:02 +0100
2008/6/3 Martin O'Neal <martin.oneal () corsaire com>:



It didn't help that the password was only 5
characters!


That may not actually be such a bad password (on balance and in
context).  Sure it is a dictionary/leet word variant, but five
characters actually carry plenty of entropy (if mixed case and numerics
are also used).  However, if you have an authentication mechanism that
doesn't lock out an account and *allows* brute forcing, it doesn't
really matter how strong the password is; given enough
universe-lifetimes an attacker will always guess it eventually.


Trust me, it is a VERY bad password in these circumstances!

Robin

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: