[wp-hackers] Limit Login Attempts

Otto otto at ottodestruct.com
Wed Apr 17 15:52:29 UTC 2013


On Wed, Apr 17, 2013 at 10:30 AM, Chris Williams <chris at clwill.com> wrote:
>> * The bot can succeed if you have a weak password
>> * The bot can't succeed if you have a strong password
>
> The definition of the term "strong" is just the foothold of an arms race.
> How strong is strong enough?

A 10 character password, assuming it is chosen completely randomly, is
sufficiently complex enough to be uncrackable by over-the-web brute
force techniques. 14 characters is sufficient if you're the paranoid
type. Many people with password managers use 20 characters, because
they no longer care what the passwords are.

The problem is that people are bad at choosing passwords. They use
words from dictionaries, with slight modifications. If they're given
rules like "use a capital letter, a symbol, and a number" then they'll
make it "Password1!" and think it's perfectly safe.

People-chosen passwords are often easy to crack using simplistic
dictionary-based attack patterns. This reduces the amount of hits you
have to make to guess it to be reasonable to do. If the password is
just random letters and numbers and such, like "9TKk!5F6S%" (generated
by my LastPass extension just now), then it's a large enough search
space to make it uncrackable within a reasonable timeframe.

It is perfectly possible to give users a better understanding that
their chosen password is awful at the time they choose it, and thus
encourage better password selection.

-Otto


More information about the wp-hackers mailing list