On Mon, Jan 2, 2012 at 8:16 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:
On Jan 2, 2012, at 9:10 PM, Lyndon Nerenberg wrote: OK -- let's let the set of punctuation be .,; and allow seven choices for where it goes. That increases the work factor by 21 -- still not that large a space for someone with a good botnet.
Should an attacker get to the point of being able to mount a brute force attack, with only character class and length requirements, that means they have basically already won the battle for basic user level access --- user passwords do not have cryptographic strength, he chance that some passwords are guessed is so high, that you can legitimately treat the probability that no passwords are discovered by an informed attack is a 0% chance. Assuming you have a policy of account lockout after multiple attempts; the fact they a brute force attack can be mounted, indicates implementation of your account lockout policy failed, or the attacker stole the password hashes. If you have LANMAN hashes enabled or your passwords hashed with MD5 instead of PBKDF2 with 10000 or more rounds; the attacker has the keys to the kingdom, they are almost certain to guess some passwords very quickly. Not all passwords are equally likely to be chosen by a human given the task of setting their password. How some luser is going to respond to password complexity: pick a name or standard dictionary word, make the first letter capital, append a single digit or some well known number (such as the current year, a birthdate, anniversary, address, SSN, or other known quantity), add a period or ! to the end, to meet the punctuation mark requirement. Eminently guessable by methods other than brute force. It doesn't matter that 10 different punctuation marks are actually available to the user --- human chosen passwords have low entropy, you can anticipate the average human has higher chance of picking certain punctuation marks than others, based on where they are located on the keyboard, and the user's level of familiarity with the punctuation mark. ~ and _ may be valid choices; but the average english speaker is more familiar with ! . , ' ; & + - -- -JH