SomeoneE1se Posted September 25, 2006 Posted September 25, 2006 I was thinking and not knowing too much about how password cracking works I though I'd ask and see if anyone knew more about this... I don't use hotmail anymore, but I did at one point, and if I remember correctly the mininum password length is 6 characters. But becasue people don't like to remember long passwords they would make it as small as they could get away with.. i.e. 6 so if you were trying to bruteforce a password like that shouln't you start with only password at 6 characters long making the password less secure to brute forcing where you'd have to start with 1 character and go from there? Or do I have no idea what i'm talking about and am just talking out my ass? (I'm not targeting hotmail it's just the first thing that came to mind when I thought of making password have a mininum length) [edited for spelling] Quote
Sparda Posted September 25, 2006 Posted September 25, 2006 Password cracking is not the same (but is similare) as a password dictionary or brute force atacke. Password cracking is where you get the hash of a password, then see if you can regenerate the same hash using the same algorthem used to generate the stolen hash. What you discribed (in the hotmail example) is password brute forcing, where you know the pobable length of the password and you know that it's probably an actual word. The problem of course with this is that after so many failed login atempts, the server will denie access for 30 minuets or what ever it's set to. So brute forcing a htomail password is fundamentaly flawed in that it would take an incredably long time, since every three failed passwords you have to wait 30 minuets to try another three. Quote
SomeoneE1se Posted September 25, 2006 Author Posted September 25, 2006 No i get that cracking passwords from a hash and everything... and I'm not thinking of this for usablity stand point.. but from is it not a better idea for make the password accept anything? (instead of having a mininum length) to protect from a brute force attack? ie if I was going to brute force somthing making a minium password length only saves me from trying a, b, c.... aa, ab, ac.... zzzzz, zzzz0, zzzz1... there for from someone who was going to pick a password from 6-* chars anyway it only makes it easier for me to get the right one sooner? Quote
KoR_Wraith Posted September 25, 2006 Posted September 25, 2006 No, as no doubt many people would have 2 or 3 letter passwords (possibly even 1 :|) , which would be much quicker to crack than 6 letter passwords - EVEN if you start from 6. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.