password strength checking not consistently implemented

[Gary W. Swearingen]

Freddie Cash <fcash at sd73.bc.ca> writes:

> On August 15, 2003 09:28 am, Gary W. Swearingen wrote:
>
>> (I guess it makes sense that "A. Hacker" WOULD try to discourage
>> password strength checking. :)
>
> Actually, Mr. Hacker is advocating the use of strength checkers.  

Actually, he wasn't; he was being ironic -- to discourage it's use.

> Consider the entire keyspace of all passwords.  Now remove from that 
> keyspace all passwords that are less than 8 characters, are made up of 
> dictionary words, are all numbers, and so on.  What you are left with 
> is a *much* smaller keyspace to brute force your way through.
>
> IOW, the strength checkers actually make it easier to crack the 
> passwords ... as there are fewer combinations to check against.
>
> This is assuming that the cracker knows which strength checker is being 
> used so they know which parts of the keyspace to drop.

I think you've changed the subject from "crack [any] passwords" to
"crack [all] passwords".  Your claim is true on average for the "all
passwords" case, since the brute force method will often have to be
resorted to in that case, unless the password choosers are all morons.

But if we're talking about a cracker finding any one of a large number
of passwords chosen by careless users, then crackers will find their
work easier if people don't use strength checkers.  This the more
typical case which I thought Mr. Hacker was concerned about.

I can't speak for all strength checkers; I guess it's possible for
them to reduce the "keyspace" too far, but I've seen no evidence that
that's the case for typical checkers, and there's plenty of evidence
that crackers use dictionaries and that password choosers are foolish.

And if you're worried about someone brute forcing a reduced keyspace,
you probably should be using something better than passwords.