Re: Password policy.

[Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 14/11/18 8:44 pm, Brian wrote:
> On Tue 13 Nov 2018 at 18:50:35 -0800, peter@easthope.ca wrote:
>> https://en.wikipedia.org/wiki/Brute-force_attack
> 
> Security is already breached if a password database can be attacked
> in that way. A six character (upper and lower case) login password
> would take about 500 years to force for someone at the keyboard.
> This assumes three seconds per try without coffee breaks.
> 
> I'm the cautious type, so use ten character passwords.

Well, yes.... but some breaches are from remote machines that may be
able to life the /etc/shadow file due to a vulnerability that isn't
fixed and if that's all they have, then they don't yet need more
direct access.  If they have /etc/shadow, then they can work on
off-line brute force.

I'm very surprised at the very low password strength / length
recommendations to say the least!

Kind Regards
AndrewM
-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW+v3PQAKCRCoFmvLt+/i
+19JAP9R3Zw7RqQDIytWTedQxVeCKMV0+gGxMAw9oO6G6gG/VgD/dJbL4dppk5Zp
j5Tolqq/w0aa34exUvNHn6fqMI85HhU=
=5zUS
-----END PGP SIGNATURE-----