Age 32, Male
Developer
University of Toledo
Ohio
Joined on 6/19/05
Apologies for the lack of clarity; in the third paragraph I was saying that passwords on sites with attempt limits would not be beaten by dictionary attacks, yet still the 'one number rule' makes other tactics for breaking into a person's account less effective.
Also, how do sharks swim in a city?
I understand what you're saying. Would using brute force to figure out a password be good for any situation?
And lol, this is one badass Shark.
Of course there are some situations where brute forcing will be useful!
Obviously a 3 character password would be no problem. Also, if the information contained by the password is valuable and you have the time, brute force would be good.
But that would be a fair amount of time, I imagine.
And then you have several ways to speed up the time. Internet speed, parallel processing, etc.. Some brute-force attacks rely on using a large amount of zombie computers - computers which have been taken over by viruses, trojans and the like in order to perform an action such as a brute-force attack on a password, often without the owner knowing.
And, like I mentioned, dictionary attacks are still brute-force, but decrease the amount of attempts by a huge amount. As well as this, someone with access to a lot of user passwords (like Newgrounds admins) could create a list of common passwords, and attack other sites using brute force with this list of common passwords.
Anything is possible for an attacker with sufficient ability and resources and I'm sure people have come up with a load of different and increasingly effective ways of getting into a stranger's account.
In short, none of us are safe. We should all hide underground in our metal bunkers where we can protect ourselves from the internet terrorists.
*Head Explodes*
Have you ever thought bringing this point up to web-designers of sites that this information would apply to?
Well I mean Doomsday makes a good point too. My idea only applies in a situation where someone wants to brute force a website without eliminating any other possibilities. That could take days, weeks, or months to compute. But it does stop dictionary attacks, which could take a considerably lower amount amount of time.
It also stops people who have personal info on you finding your password, if you make it your mother's maiden name or something.
While you do have a point, I think the real issue here is enforcing stupid arbitrary maximum password lengths. For example, I won't use a password any shorter than 10 characters. Assuming I only use letters, my password is only one possibility out of a minimum of 52^10 (or 144,555,105,949,057,024 (that's 144 quadrillion), assuming a mix of upper- and lower-case letters). By restricting me to only 8 characters, my total possibilities are reduced to a maximum of 52^8, or 53,459,728,531,456 (or 53 trillion, ignoring valid passwords of six or seven characters). That's an entire order of magnitude, and with disk space being so cheap and abundant (and passwords requiring so little space to store) it seems criminal to me to impose arbitrary limits like this.
But I digress; you do have a valid point in terms of brute-forcing-- this method does indeed thwart dictionary-type attacks.
Something else you probably should think about it the extra possibilities a forced number imposes - that's an extra 10 CHARACTERS to cycle through per space. So, for example, in an 6 character password, if you were only to use lower case there would be 308,915,776 (26^6) lower and upper case is a whopping 19,770,609,664 (52^6). Then, adding the number requirement as well - 56,800,235,584 (62^6).
Adding in number drastically INCREASES the difficulty of cracking a password, because the hackers don't know if there's just 1 number or more. Assuming the hacker knows this seems a bit strange, because if they did, they probably wouldn't have to brute the whole thing anyway.
Also, in the case of users simply adding a 1 to the end of the password, that too is a good thing. It may be simple to guess, but it ads another whole POWER of digits (along with an extra 10 characters) that the hacker must cycle through.
So, no, in the case of brute forcing (and, really, any other type of hacking), it makes the cracking much more difficult when there is a forced number present.
What I'm saying is that when you tell the user he has to put at least one number in the password, it rules out every possibility of a password that doesn't contain a number. The hacker doesn't know if you had a number in your password in the first place, but by making it forced, the hacker would know that at least one of the character spaces must contain a number, so he can just throw away all the other possibilities that don't contain just one number, like I demonstrated in my post.
What you're saying is that forcing a number = the possibility of a number. But forcing a number means that the number is forced. A password on any website has the possibility of containing numbers, which is the situation you presented in your comment, but it's an entirely different situation to force a number.
And any hacker can know if a website is forcing a number on a password because of the fact that anyone who registers (on a public registration) would be able to figure that out.
But on a website where the number is not forced, the hacker will not use numbers to crack passwords, because there will be an abundance of accounts that will not use them. This will make their hacking much, much easier.
There the hackers can choose to create a cycle using only 26 characters, a system which they can practically fly through in comparison.
By making sure they know they'll need the full 62 cycle, that's going to hurt them. In the case of a dictionary, they can indeed throw out a number of options, but that is worse for them because they have a much lower chance of guessing.
So I do see what you're saying, with hackers who don't cycle through the full characters being less likely to hack well protected accounts, but it also gives them a huge amount of other, weaker accounts to break down. In the case of having forced numbers, though, accounts are almost equally protects (not counting length, cases, and difficulty of passwords).
Yes, the hackers will start with the full array to search with, meaning they'll find a password quicker than cycling through all letters and then all letters and numbers, but that's just ridiculous. The chances of a hacker being that stupid are much smaller than them getting into a poorly protected account with a readily available 26 character cycle.
Doomsday-One
It makes it slightly easier to brute force a password.
However, brute force takes an age anyway, and with websites such as Newgrounds performing a 3 failed attempts lockout rule, a brute force is completely non-viable.
What the number system does prevent is a dictionary attack. Many people just use an English word for a password, and that cuts out a lot of possibilities. Forcing people to add at least one number makes a dictionary attack impossible (unless they program it to put in [dictionaryword+"1"], but it still does a good job of protecting those who don't just put a one at the end).
Again, sites with an attempt limit still won't be beaten by it, but then it also makes more difficult several other strategies (eg. people who decide to put their password as their favourite food or game character, or those who would otherwise use the same password for every site).
Also, nice pic!