

Do Strong Web Passwords Accomplish Anything?  - mds
http://www.usenix.org/events/hotsec07/tech/full_papers/florencio/florencio.pdf

======
tptacek
A major flaw with this logic: strong user passwords are much harder to crack
from a stolen database, and most users re-use passwords.

~~~
cubicle67
The assumption you're making here is that the passwords are not stored in
plain text :P

------
zepolen
This article is a great example of what the web was made for.

So why PDF‽

~~~
kmavm
The article has been prepared for academic publication, and ironically,
academic computer science has been somewhat on the trailing edge with respect
to preparing documents for the web.

------
metachris
very interesting paper...

at point 2.2 "bulk guessing of passwords", he says "even a 6 digit PIN yields
at most a 1% probability of success to 10 years of brute-force attack".

i hardly believe that can be true. it's just 1 mill. (10^6) different
passwords. if a website does not protect the login site with time-delays or
otherwise (let's say we can test 5 pins a second), all passwords can be tried
in 138 days. if it's only 1 pin per second it will already take 694 days to
test them all.

and of course there is a 50 % chance to find it in half the time. and 25 to
find it in the first quarter, etc.

furthermore at the end of point 2.2, i read 10 million requests. why? 10⁶ is
one million, and a 6 digit pin has 10⁶ possible states, right?

~~~
Retric
The assumption is you limit bulk guessing of passwords vs requiring long
passwords. _To consider a concrete exam- ple, if a bank allows only 6 digits
PINs (a relatively weak password) and locks an account for 24 hours after
three attempts an attacker could search_

If an IP is spitting out 5 password attempts a second you can safely ignore
their passwords cache the _Login Failed_ page and go about your day because
they are not the user. If a user has attempted to login more than 50 times a
day lock them out for 24 hours unless they reset the password. 50 * 365 * 10 <
20% of 10^6 and a tiny fraction of your users are going to try 50 times to get
in.

PS: I would also a CAPTCHA the login process for any IP that fails 25 times a
week without any valid logons.

