nanog mailing list archives
Re: AD and enforced password policies
From: Steven Bellovin <smb () cs columbia edu>
Date: Mon, 2 Jan 2012 21:16:28 -0500
On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote:
I just went through some calculations for a (government) site that has the following rules:[...]Under the plausible assumption that very many people will start with a string of digits, continue with a string of lower-case letters to reach seven characters, and then add a period, there are only ~5,000,000,000 choices. That's not many at all -- but the rules look just fine...1234;lkj rolls off the fingers quite nicely, don't you think?
OK -- let's let the set of punctuation be .,; and allow seven choices for where it goes. That increases the work factor by 21 -- still not that large a space for someone with a good botnet. The real question is what you're trying to protect. If the attacker's goal is to get *some* password, then I think he or she will get succeed, because I think that very many people will follow my assumed pattern -- enough that the attacker has a good chance of winning. Sure, some people will pick stronger ones -- but that isn't the point of the exercise. Passwords and password rules are the *enemy* to most people. --Steve Bellovin, https://www.cs.columbia.edu/~smb
Current thread:
- Re: AD and enforced password policies, (continued)
- Re: AD and enforced password policies Randy Bush (Jan 03)
- Re: AD and enforced password policies Todd Underwood (Jan 03)
- Re: AD and enforced password policies Steven Bellovin (Jan 03)
- RE: AD and enforced password policies Jones, Barry (Jan 05)
- Re: AD and enforced password policies Gary Buhrmaster (Jan 03)
- Re: AD and enforced password policies Jimmy Hess (Jan 03)
- Re: AD and enforced password policies Måns Nilsson (Jan 04)
- Re: AD and enforced password policies Steven Bellovin (Jan 02)
- Re: AD and enforced password policies Lyndon Nerenberg (Jan 02)
- Re: AD and enforced password policies Steven Bellovin (Jan 02)
- Re: AD and enforced password policies Jimmy Hess (Jan 02)