Re: Password policy.
-----BEGIN PGP SIGNED MESSAGE-----
On 14/11/18 8:44 pm, Brian wrote:
> On Tue 13 Nov 2018 at 18:50:35 -0800, email@example.com wrote:
> Security is already breached if a password database can be attacked
> in that way. A six character (upper and lower case) login password
> would take about 500 years to force for someone at the keyboard.
> This assumes three seconds per try without coffee breaks.
> I'm the cautious type, so use ten character passwords.
Well, yes.... but some breaches are from remote machines that may be
able to life the /etc/shadow file due to a vulnerability that isn't
fixed and if that's all they have, then they don't yet need more
direct access. If they have /etc/shadow, then they can work on
off-line brute force.
I'm very surprised at the very low password strength / length
recommendations to say the least!
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----