Some systems will lock you out after a small number of consecutive failed authentication attempts. Three? Five? Ten?
It would also seem possible to write code that requires the system to wait, say five seconds, before another attempt at a correct password may be made, thus making a dictionary attack impossibly long. I don't think requiring frequent change of password is worth much. Sooner or later everyone will have a CAC card, or at least banks will issue them for on-line banking. Fred Holmes At 09:51 AM 12/29/2007, Tom Piwowar wrote: >Passwords have to be stored on the computer or network so the OS can >verify what is typed in. The secure way to do this is to never store an >actual password, but instead a hashed version. So when a password is >typed it is hashed by the computer and compared to the stored version. >This way there is never a copy of the password that a hacker may find. >The hashing programs work only in one direction, so a hashed password >can't be unhashed. > >This can be defeated by a dictionary attack. Every possible combination >of characters is hashed and the password-hash pair stored. Then the >hacker only has to retrieve the hashed password and look up the real >password in the dictionary. This was once hard to do because it took so >long to create the dictionary. But today such a dictionary only has to be >created once and lookups can easily be made via the Web, often simply >Googled. > >So isn't all the fuss to force us to make up long, complicated passwords >and change them frequently, just a silly waste of time? What they call >"security theater." ************************************************************************ * ==> QUICK LIST-COMMAND REFERENCE - Put the following commands in <== * ==> the body of an email & send 'em to: [EMAIL PROTECTED] <== * Join the list: SUBSCRIBE COMPUTERGUYS-L Your Name * Too much mail? Try Daily Digests command: SET COMPUTERGUYS-L DIGEST * Tired of the List? Unsubscribe command: SIGNOFF COMPUTERGUYS-L * New address? From OLD address send: CHANGE COMPUTERGUYS-L YourNewAddress * Need more help? Send mail to: [EMAIL PROTECTED] ************************************************************************ * List archive from 1/1/2000 is on the MARC http://marc.info/?l=computerguys-l * List archive at www.mail-archive.com/computerguys-l@listserv.aol.com/ * RSS at www.mail-archive.com/computerguys-l@listserv.aol.com/maillist.xml * Messages bearing the header "X-No-Archive: yes" will not be archived ************************************************************************
