On Sunday, April 17, 2011 10:47:02 PM Joshua Lutes wrote: > I have thought it ridiculous that banks force such weak passwords on me > but now I wonder, given the discussion and the reading, if it might not > be by design. You can only enter in the wrong password four or five > times before you get locked out of your account, so brute force is > definitely not going to gain anyone access to your account. By keeping > the passwords brief and alphanumeric they make them much easier to > remember and much less likely to be written down and taken in a theft. > Is that giving them too much credit? Anyway, they should totally adopt > that as their explanation for why the passwords seem to be so insecure > but in actual fact aren't.
Any limits like that are wrong no matter the justification. I can still crack a system with automatic lock-out if I give myself enough time between tries. Which means, I try other accounts. If I hone into one account, I'm busted. But, try to track 200 accounts at a time with a distributed system, and it's only a matter of time. Again, create a better security model, and the hackers will create a better cracking algorithm. -- Alberto Treviño BYU Testing Center Brigham Young University [email protected] -------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
