In reality, preventing the brute force of passwords shouldn't be handled by using password complexity and length. A simple account lockout after multiple failed attempts or forcing users to have to wait five seconds between attempts would prevent a brute force attack no matter how fast a GPU is.
@murraj2 The five seconds would annoy me less than the lockout, coming in on a Tuesday after a long weekend and blearily typing in the wrong password 3 times before remembering you were made to change it on a Friday gets old pretty fast.
@murraj2 Brute force attacks on passwords are usually performed by someone who has gained access to a hashed password file via some other exploit. The hacker attempts to detect the passwords in the hashed file by applying the hash algorithm repeatedly against various candidate passwords until a match with one of the values from the file is found. Typically there is no need for the hacker to make multiple attempts at authenticating against the actual server that is being attacked (since the hacker runs the hashing algorithm on his/her own hardware). Therefore, password lockouts do not really prevent this type of attack.
@d0mth0ma5 Yeah, but password lockouts are the best solution. Maybe 5 times, maybe six times. Any sensible webservice (check Gmail, Google Docs, etc) will have a password lockout. Also, if it catches an IP going at a brute force technique, it'll probably block that IP.
So make it 5 seconds after 10 wrong attempts or even 100 wrong attempts. Or just make it 1 second per attempt. Either way you'll prevent a brute force of your password.
Besides relying on a single factor of authentication is dead at this point. Much easier to get a trojan on your machine at which point a 1024 character password thats full of upper case, lower case, letters, symbols and numbers is worthless.
@engadgethead WEP, WPA passwords. I've never seen a wireless network with a lockout mechanism. WPA doesn't even need to be actively pinged on. Just hang out until you capture someone logging in, then go home and crack at your leisure.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
In reality, preventing the brute force of passwords shouldn't be handled by using password complexity and length. A simple account lockout after multiple failed attempts or forcing users to have to wait five seconds between attempts would prevent a brute force attack no matter how fast a GPU is.
@murraj2 The five seconds would annoy me less than the lockout, coming in on a Tuesday after a long weekend and blearily typing in the wrong password 3 times before remembering you were made to change it on a Friday gets old pretty fast.
@murraj2
Brute force attacks on passwords are usually performed by someone who has gained access to a hashed password file via some other exploit. The hacker attempts to detect the passwords in the hashed file by applying the hash algorithm repeatedly against various candidate passwords until a match with one of the values from the file is found. Typically there is no need for the hacker to make multiple attempts at authenticating against the actual server that is being attacked (since the hacker runs the hashing algorithm on his/her own hardware). Therefore, password lockouts do not really prevent this type of attack.
@murraj2
I figured it was for making rainbow tables or collisions after they got your hash, not for trying to login to facebook 10 trillion times.
@d0mth0ma5 Yeah, but password lockouts are the best solution. Maybe 5 times, maybe six times. Any sensible webservice (check Gmail, Google Docs, etc) will have a password lockout. Also, if it catches an IP going at a brute force technique, it'll probably block that IP.
@d0mth0ma5
So make it 5 seconds after 10 wrong attempts or even 100 wrong attempts. Or just make it 1 second per attempt. Either way you'll prevent a brute force of your password.
Besides relying on a single factor of authentication is dead at this point. Much easier to get a trojan on your machine at which point a 1024 character password thats full of upper case, lower case, letters, symbols and numbers is worthless.
@murraj2
Yeah, I can't think of a single online service that's going to let a user try guessing a password 5 times, much less thousands.
What does this actually apply to? Situations where someone has physical access?
@murraj2 True, the only escape is to be boring and poor.
@engadgethead WEP, WPA passwords. I've never seen a wireless network with a lockout mechanism. WPA doesn't even need to be actively pinged on. Just hang out until you capture someone logging in, then go home and crack at your leisure.