Slashdot Mirror
Calculating Password Policy Strength Vs. Cracking
snydeq writes "InfoWorld's Roger Grimes offers a spreadsheet-based calculator in which you can key in your current password policy and see how your organization's passwords might hold up against the number of guesses an attacker can make in a given minute. The calculator includes results for four different password entropy models, and is based on length, character set, maximum age, whether complexity is enabled, and the number of guesses per minute an attacker can attempt. As an example, Grimes assumes an eight-character password, with complexity enabled, a 94-symbol character set, and 90 days between password changes. Such a policy, typical for many organizations, would require attackers to make only 65 guesses per minute to break — not at all hard to accomplish, Grimes writes."
Some systems will intentionally "lag" you on a failed password attempt, or wait some time before the next guess. So you can't even MAKE 64 guesses a minute.
Others will lock you out after 3-5 attempts.
Kind of stops this flat, hmm?
Which is still solved by a quick look at the logs. Any account with multiple login attempts from multiple IP addresses in rapid succession should be a huge red flag. Even without human review it's trivial to make the block on the account, not on the party that's trying to log in.
The real problem is striking a balance between complexity and usability. You don't need a botnet if you can grab the passwords using any number of social engineering techniques, many of which are made much easier when people are pushed into habits like writing their login details on post-it notes.
First off, there should NOT be any indication whether the username was valid or not. It's as simple as that.
Secondly, the issue really comes down to whether a DoS attack is better/worse than a compromised account.
I'm on the side that believes compromised accounts are WAY worse than a DoS attack.