[unisog] Password policies

Robert Kerr r.kerr at cranfield.ac.uk
Thu Apr 20 08:37:03 GMT 2006

On Wed, 2006-04-19 at 14:10 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Wed, 19 Apr 2006 10:42:46 PDT, Saqib Ali said:

> > Offcourse. It depends on how long it takes to crack / guess a
> > password. If a hyrid-brute-force attack takes 3 months to crack a
> > password, then having a password lifetime of 3 decade would be pretty
> > foolish.

> > The password expiration should be set to a time period that is LESS
> > then the amount of time  required to brute-force a password.

> If you have *any* sort of sane "max logon attempts/minute" rate restriction,
> this shouldn't be a concern.  Remember that to brute force a password, the
> attacker needs an oracle that will tell them if a given guess is correct or not.

Even if you don't have any restrictions at all I'd hope all the failed
logins created by a brute force would get noticed way before the 3 month
mark. If you're truely in a situation where someone can generate
hundreds of failed logins per second for months on end with nobody doing
anything to investigate and mitigate it you probably have bigger
problems than your password policy.

 Robert Kerr

More information about the unisog mailing list