Catching out dodgy security policies

Dec 10th, 2008

Comments: 1
Category: Security Policy

Catching out dodgy security policies

Here’s a question to ask your security policy people, to see whether their recommendations are actually risk based or just “best guesses”…
“Have you updated the minimum password length/complexity requirements due to recent advances in password cracking speeds?”
I was reading a couple of posts on the Red Database Security blog (here and here, and it occurred to me that despite the increases that have been made in password cracking speeds over the last couple of years, I’ve not seen a lot of movement in minimum password length/strength requirements to go along with it…
Obviously password policies should be tailored to mitigate the threats to the systems they protect and the primary risk that long passwords mitigate is an offline attack where the attacker has access to the encrypted password. (the more common online brute-force is better mitigated by account lockout and security monitoring in most cases)
So if crackers are getting faster, passwords should obviously get longer…


  1. Infosec Cynic December 24, 2008 at 7:07 pm

    True, passwords are getting easier to crack with faster processing powers of PC’s. In addition password attacks are more prevalent such as software based keyboard loggers etc.
    But users password complexity is finite, whereas computers will keep getting faster and more powerful.
    Maybe, in the light of where technology is moving, passwords on their own as a means of authentication is becoming obsolete and we will see further proliferation of alternative authentication tools (2FA, biometrics etc)

Add a comment

Your email address will not be shared or published. Required fields are marked *