[LINK] Guidance re Passwords
Gordon Keith
gordonkeith at acslink.net.au
Wed Jul 27 12:12:30 AEST 2011
On Wed, 27 Jul 2011 10:42:45 AM Birch, Jim wrote:
> but really brute force should be history. Any serious
> password protected system should lock before all the dumb password set
> has been tried, let alone any brute force list.
Depends on if they are brute forcing against the password or account.
If an attacker chooses a weak password and tries it against thousands of
accounts they are likely to get a hit before long with low probability of
triggering a password protection system (assuming they are going via a popular
proxy).
For example one of the big four banks has a password restriction of 6
character uppercase alphanumeric and numeric account numbers.
While I suspect it would lock out an account very quickly if you tried brute
forcing the password I'm less convinced it would successfully lock out an
attempt to use a collection of simple passwords against the range of valid
account numbers.
Regards
Gordon
More information about the Link
mailing list