RE: looking for a webapp bruteforce video for non-techies

["Paul Melson" <pmelson () gmail com>]

> That may not actually be such a bad password (on balance and in
> context).  Sure it is a dictionary/leet word variant, but five
> characters actually carry plenty of entropy (if mixed case and numerics
> are also used).  However, if you have an authentication mechanism that
> doesn't lock out an account and *allows* brute forcing, it doesn't
> really matter how strong the password is; given enough
> universe-lifetimes an attacker will always guess it eventually.

I second Martin's comment.  There's no point in talking to users about
password selection if the application doesn't A) lock the account after X
number of failed attempts *AND* B) force password expiration/rotation.
There's a very basic mathematical formula found in the Department of Defense
Password Management Guideline[1] that can be used to calculate the risk
associated with any particular password policy versus brute force guessing.
Definitely required reading for anyone designing or specifying a password
authentication mechanism.


PaulM

[1] http://www.fas.org/irp/nsa/rainbow/std002.htm


-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------