On 2/13/2007 1:49 PM, [EMAIL PROTECTED] wrote:
I believe that allowing mixed-case does increase security, as it makes
the number of possible passwords of any given length much greater, and
increases the amount of time needed for brute-force password guessing.
How can you do a brute-force password guess when you have a max of 3
password attempts before the ID is revoked?
Or are you saying that mixed-case increases security in those rare
shops that haven't implemented revoking IDs on wrong passwords?
Revocation based on number of invalid attempts should (for the most
part) prevent attacks from people actually trying to login. It does not
stop attacks from people who have acquired a copy of your database, and
can thus see the encrypted data in the password fields.
Given the encrypted authentication data, and the user ID, the brute
force attack would involve examining all possible passwords until you
find one that generates that same encrypted data.
With mixed-case that brute force process needs to cover more possible
passwords, and thus will take longer, on average. You have a possible
password space (for 8-character passwords) of 65**8 rather than 39**8.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
