[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Password policy.

On Tuesday 13 November 2018 11:23:13 peter@easthope.ca wrote:

> Hi,
> https://www.debian.org/doc/manuals/debian-reference/ch04.en.html#_good
>_password specifies "6 to 8 characters".  Is that adequate against
> currently available brute force?
> Thanks,                                  ... Peter E.

"John the ripper" can find a 6 char word in a couple seconds on a slow 
machine. Every char you add multiplies that time by 62 or so depending 
on the valid char spec. 52 for upper and lowercase plus 0-9= 62. Add 13 
more if you allow the punctuation on the upper row of keys shifted, I 
ran into a supplier site still useing 8 chars last summer, and sent them 
a 'gram about it, fussing that I won't do business with such a poorly 
protected site. I got an email from them the next Tuesday proclaiming 
their network guy had expanded the passwd length to 127 chars.  I like 
20+ chars personally as that would take John about the rest of the time 
for the universe to run down to find. But there are better tools for the 
specialists at hacking than John. Please keep that in mind.

Cheers, Gene Heskett
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to: