Comments on: open letter to MS and sysadmins re: passwords http://www.chrisdiclerico.com/2007/04/02/open-letter-to-ms-and-sysadmins-re-passwords/ like a punch in the knows. Tue, 01 Jun 2010 16:14:58 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Tim Howland http://www.chrisdiclerico.com/2007/04/02/open-letter-to-ms-and-sysadmins-re-passwords/comment-page-1/#comment-98710 Tim Howland Thu, 05 Apr 2007 20:24:53 +0000 http://www.chrisdiclerico.com/2007/04/02/open-letter-to-ms-and-sysadmins-re-passwords/#comment-98710 The latest wrinkle in attacking passwords is rainbow tables- it doesn't matter how complicated your password is if it's too short, because they've precalculated all of the possible combinations ahead of time. Current tables cover all of the possible 5 character combinations and most of the 6 character permutations. While it's expensive and time consuming to generate a dictionary, Moore's law means it gets half as expensive and time consuming every 18 months- and the dictionary maker only has to calculate it once. Changing your password frequently is absolutely no defense against this (or any other) attack unless you have a scheme like secureID which changes your password every second. The only real defense is a long password; an 18 character plain english sentence is far more secure these days than a five character string of perl line noise. The latest wrinkle in attacking passwords is rainbow tables- it doesn’t matter how complicated your password is if it’s too short, because they’ve precalculated all of the possible combinations ahead of time. Current tables cover all of the possible 5 character combinations and most of the 6 character permutations. While it’s expensive and time consuming to generate a dictionary, Moore’s law means it gets half as expensive and time consuming every 18 months- and the dictionary maker only has to calculate it once.

Changing your password frequently is absolutely no defense against this (or any other) attack unless you have a scheme like secureID which changes your password every second.

The only real defense is a long password; an 18 character plain english sentence is far more secure these days than a five character string of perl line noise.

]]> By: Your password will expire in 14 days at alexwrege.com http://www.chrisdiclerico.com/2007/04/02/open-letter-to-ms-and-sysadmins-re-passwords/comment-page-1/#comment-98362 Your password will expire in 14 days at alexwrege.com Wed, 04 Apr 2007 01:54:36 +0000 http://www.chrisdiclerico.com/2007/04/02/open-letter-to-ms-and-sysadmins-re-passwords/#comment-98362 [...] The other day, Revathy and I were talking about her persistent issues with her computer and password authentication and then today I stumbled upon Chris’s entry on his blog. (Chris is in IT.) [...] [...] The other day, Revathy and I were talking about her persistent issues with her computer and password authentication and then today I stumbled upon Chris’s entry on his blog. (Chris is in IT.) [...]

]]>