[Sussex] Password totals

Geoff Teale gteale at cmedltd.com
Thu Mar 11 14:19:47 UTC 2004


On Thu, 2004-03-11 at 14:00 +0000, Gareth Ablett wrote:
> Damn and I was going to write a quick script to show how it would be
> done I still could and might I could do it in C as well maybe.

It's faster still to use a previously generated list that's been sorted
for commonly used combinations.  Usually though the speed limiting
factor is defined by an arbitrary pause in the system requesting the
password following a failed attempt.  Better still some systems lock
down an account after a set number of failed attempts.

In short - passwords are weak security, but automated attacks are rare -
it's far more likely that users pick an obvious password of give it away
to anyone who says that they're a sys-admin.  For this reason the
theoretical multiplier of obscurity (i.e. the number of combinations) is
hardly ever a factor in whether a system is cracked or not.

-- 
Geoff Teale
Cmed Technology     /   Free Software Foundation
gteale at cmedltd.com  /   tealeg at member.fsf.org

Please avoid sending me Word, Excel or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html





More information about the Sussex mailing list