Quote:
Originally Posted by Andrew H.
I also kind of think that requiring complicated passwords (like "2ef2QEd2ucRUGeya5uTa") with rotations is counterproductive. In the first place, most of the breaches involving passwords that I seem to hear about involve stolen password files, like the playstation case. I may have missed it, but I can't remember hearing about a brute force password attack in real life in...well, never. I'm not even sure if it's really possible, since most modern systems will lock you out if you get the password wrong too many times - I think my work adds a 10 minute delay if you get the password wrong three times (plus some sort of alert); I don't know what happens if you keep getting it wrong. Of course smartphones can usually be set to wipe the phone if you get the password wrong 10 times.
And requiring more complex passwords will just lead to people writing them down.
|
Actually, passwords are stored in encrypted form in all modern systems. Now that the encrypted passwords are in files on third-party machines they can be subjected to "brute force" type decryption (comparing them against entries in an encrypted dictionary, for instance) without worrying about being locked out for excessive trials and errors.
Its an arms race.