26 x 26 x 26 x 26 x 26 x 26 x 26 x 1 = 8,031,810,176
I think that’s a bit wrong. You’ve got 7 26’s there instead of 8 and a 1 instead of 10: 26^8 x 10^1.
You raise a very good point. It’s something I haven’t done but it defiantly something I’m going to do in the future.
I wonder if all OpenID provider have time delays on login attempts?
eight character all lowercase, ending in 1
I think it’s correct. Password in the form of:
abcdefg1
- 8 characters total
- all lowercase
- ending in 1
OK. I misread. I thought it was 8 alphas plus 1 (any) numeric. My bad.
It’s 26^7x1 because he assumes 1 is the most common last part of any password.password1 was the most common password from the linked article, as well as slipknot1, qwerty1, soccer1 and basketball1.
For websites, I put my trust in passwordmaker.org plugin, unique cryptic password for every site I need to log into. And I just need to remember 1 master password.
Tracking it on the server means more server resources. Durr
I believe the OP was referring to literally pausing and holding open a connection on the webserver and client for (n) seconds.
I have taken to using YouTube IDs as passwords. If I forget my password, I just check out the video.
Explained here:
http://www.snowstone.com/archives/000479.html
Great article! its about time more people start using openID
So, if I want to DOS a particular Twitter user I don’t like, I would just need to fail a login to their account a few times per minute?
The problem with throttling is that it’s hard to implement correctly such that it doesn’t invite harm to legitimate users. You have to pay attention to the source of the attack, which can be challenging given large caching proxies.
every rinky-dink website on the planet demands that I create unique credentials especially for them
Hopefully the rise of OpenID will mean that this happens fewer and fewer times. More convenient for the users, more secure for everyone (as long as the OpenID providers get it right).
It’s more typical for each failed login attempt to take longer and longer, like so:
and add a good captcha after the third failed attempt.
(Thinking of re-captcha or similar here)
@Alex Scordellis
We have to hope that all OpenID providers implement some sort of throttling on the account.
I bet the larger ones like Google, Yahoo and AOL do. But what about the smaller providers?
Login attempt throttling should be part of the OpenID spec which to my knowledge, isn’t.
The best way to protect your account from this type of account is to use a long well mixed password.
Don’t know about anyone else but I tend to use the same credentials for forums and similar things, because i am not too bothered if it gets hacked its only going to give them at most my email address, as I put in made up details for everything else.
It saves a lot of remembering passwords which I think is a big problem for everyone since every other website needs a login. I use much better and unique passwords for stuff banking and so on. If lots of people do similar things it would probably adjust the results.
Minor problem with the MySpace survey. It preselects users vulnerable to phishing attacks. Presumably, people with stronger passwords would also be less likely to appear in this set. This skews the results toward the bad password point that you are trying to prove.
Still, a good lesson that we can teach our non-techie friends. Let’s all point them toward Super Gen Pass.
I recently tried changing my password at a famous ISP (I won’t mention names, but it rhymes with girth-wink). They’re policy is:
* Capitalization matters (make sure CAPS LOCK is turned off)
* Your password must be between 6 and 8 characters
* It can contain letters and numbers but no symbols
I don’t know if they have any throttling, but I think it would be a good idea–especially for the making that policy! 
–dang
Oops–their, not they’re. Time for some coffee.
–dang
Hmmm… is there any throttling for adding comments to this blog?
–dang
Hey Now Jeff,
Gotta love those password charts!
Coding Horror Fan,
Catto
This can lead to denial of service attacks, however, and is generally discouraged. It’s more typical for each failed login attempt to take longer and longer
I guess, you should probably stop at something like 10 seconds after the first few unsuccessful tries, otherwise an attacker could still cause a DOS for a user thanks to throttling.
Even more secure is the captcha after a few tries, as stated by Schalk Versteeg.
Additionally, sites should reply with something like username and/or password incorrect, instead of pointing out if the username was wrong or if the password was wrong.
Even if there has been much improvement on broadband connections, it’s mostly in regard of bandwidth.
It takes time to reach the twitter server, send an http request, and get the result. My guess is that in the best of circumstances, it would still take 50 to 100ms to try just one password.
I think the weakness here is more that the password was extremely easy to find with a dictionary attack and with only few attempts. A slightly more elaborate password could have required much more time, even with unlimited login attempts.