On Thu, 11 Aug 2011 19:27:17 +0100, Orchid XP v8 wrote:

> On 11/08/2011 07:17 PM, Jim Henderson wrote:
>> On Thu, 11 Aug 2011 09:09:01 +0100, Invisible wrote:
>>
>>> Personally, I think the most /realistic/ way to gauge password
>>> strength is to see how long it takes real, commonly-available password
>>> crackers to break your password. After all, /that/ is what most
>>> unsophisticated attackers are going to use against you.
>>
>> Arguably that's the most accurate way, but not the most realistic way.
>> It wouldn't be realistic to run a prospective password through each one
>> of those tools when setting the password.
> 
> You don't think so?
> 
> I think that if you type a password and a cracker can guess it in under
> 30 seconds, you should definitely pick a different password. But maybe
> that's just me...

You said "password crackers" (plural).  You might have noticed, but users 
aren't exactly patient about things.  If it takes all these tools 20 
minutes to decide the password is secure enough, they'll be complaining 
to you that their system hung when they changed their password.

>> In addition, if you've got rainbow tables-based cracking, as long as
>> the tables extend to the length of the password (and take into account
>> the appropriate factors for the password algorithm, naturally), then
>> the cracking time is linear no matter what the complexity of the
>> password is - which would be both unrealistic and inaccurate as a
>> measure, because the hashes are precomputed.
> 
> On the other hand, salting the password trivially defeats rainbow
> tables.

Sure, but how many password systems don't use a salt value?

Jim

Post a reply to this message