On Tue, Aug 12, 2014 at 3:30 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less.
That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short.
Greg
This is interesting, and worrying, as far as it goes. One of the guys I work with insists that passwords must have easy to remember patterns, and bt no more that 7 characters. He says shorter is better. I have told him repeatedly that using such passwords makes his systems vulnerable; but then he starts ranting about idiots forgetting the reasonably secure passwords and the soaring costs of customer support. I wonder how the situation changes if you add client side certificates. Leaving aside the logistics of securely distributing the client side certificate (and the sometimes vain hope that the CA will sign them with a decent algorithm, like sha512, instead of the compromised MD5), can one be secure if one uses a client side certificate in addition to a strong password? Can a client side certificate be passphrase protected? And, if so, I assume the browser would ask for that passphrase before sending the certificate to the server requesting it: right? But this would presuppose the operator of the website in question cares enough about security to configure his server to insist on receiving a client side certificate before providing access to anything like a login page. Then, I suppose there isn't much one can do if the website operator doesn't do much to ensure security is handled well. Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org