Like you can’t combine parallelism and rainbows.
Seriously…
(and I’m not even considering the fact that most people’s password are weak, and when you do mass cracking even without rainbows it’s still really cool to be just a constant factor faster)
Of course, my bank requires PINs to be 4 digits in length…
when I told them that was completely useless, they told me it was for “convenience”
Thing about bank PINs is that you can’t brute-force them, since you only get three tries; after which, usually, the machine eats your card (or the web site locks your account for 24 hrs, or whatever). This gives any potential thief only a 1 in 3333 chance of getting in through pure guesswork.
I put together, based on your formula, a basic password checker, to see how secure a password/passphrase is against a brute force attack.
Let me know if you’re curious.
The requirement for stronger passwords at my company has reached a point of diminishing return. The more complex the password, the greater the chance of finding the password taped to the bottom of the keyboard.
Everyone here suggesting using account lockout to prevent brute force attacks ought to read this:
“Even though the guide recommends configuring account lockout at 50 tries, I urge you not to configure account lockout. First, as the initial article of this series described, the chances that an attacker will guess a reasonable password are so remote as to not justify this option. Second, an attacker is highly likely to take your account lockout setting and convert it to a denial-of-service attack by locking out every account on the system. Third, most vulnerability assessment tools will lock out all the accounts on your domain. In the end, whether you use account lockout is a matter of your security policy, and debate whether it provides value. Keep in mind, however, that account lockout problems represent some of the most frequent technical support issues with Microsoft support services, and resetting an account costs an average of $70 per incident. If your security policy is so stringent that you believe these numbers are acceptable, and your policy cannot enforce reasonable passwords, you might still choose to configure account lockout. If not, do your Help Desk and budget a favor, and avoid it.”
It’s here: http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx
This link which was included in Jeff’s last post on pass phrases: http://www.codinghorror.com/blog/archives/000360.html
The length of the pass phrase is irrelevant!
The relevant thing is the length of the stored, hashed value, or the password/phrase, whichever is shorter. If the stored value is only 8 long, then a lot of info has been thrown out, and there are a lot fewer combinations that need to be be tried to make it work.
Take the improvements from using GPU, and use them to more quickly build rainbow tables.
Are we to the point where the salt can be overcome by speeding up the build of the rainbow tables to custom build for each salt?
A great read, and should be given to every person that has a website by default!