Doomsday-One 2010-03-03 12:26:02

It makes it slightly easier to brute force a password.
However, brute force takes an age anyway, and with websites such as Newgrounds performing a 3 failed attempts lockout rule, a brute force is completely non-viable.

What the number system does prevent is a dictionary attack. Many people just use an English word for a password, and that cuts out a lot of possibilities. Forcing people to add at least one number makes a dictionary attack impossible (unless they program it to put in [dictionaryword+"1"], but it still does a good job of protecting those who don't just put a one at the end).
Again, sites with an attempt limit still won't be beaten by it, but then it also makes more difficult several other strategies (eg. people who decide to put their password as their favourite food or game character, or those who would otherwise use the same password for every site).

Also, nice pic!

Doomsday-One 2010-03-03 12:46:19

Apologies for the lack of clarity; in the third paragraph I was saying that passwords on sites with attempt limits would not be beaten by dictionary attacks, yet still the 'one number rule' makes other tactics for breaking into a person's account less effective.

Also, how do sharks swim in a city?

Doomsday-One 2010-03-03 15:00:54

Of course there are some situations where brute forcing will be useful!
Obviously a 3 character password would be no problem. Also, if the information contained by the password is valuable and you have the time, brute force would be good.
But that would be a fair amount of time, I imagine.

And then you have several ways to speed up the time. Internet speed, parallel processing, etc.. Some brute-force attacks rely on using a large amount of zombie computers - computers which have been taken over by viruses, trojans and the like in order to perform an action such as a brute-force attack on a password, often without the owner knowing.
And, like I mentioned, dictionary attacks are still brute-force, but decrease the amount of attempts by a huge amount. As well as this, someone with access to a lot of user passwords (like Newgrounds admins) could create a list of common passwords, and attack other sites using brute force with this list of common passwords.
Anything is possible for an attacker with sufficient ability and resources and I'm sure people have come up with a load of different and increasingly effective ways of getting into a stranger's account.

In short, none of us are safe. We should all hide underground in our metal bunkers where we can protect ourselves from the internet terrorists.

TheBananaPeeler 2010-03-03 15:28:39

*Head Explodes*

falarinx 2010-03-03 18:08:21

Have you ever thought bringing this point up to web-designers of sites that this information would apply to?

Teh-Bollocks 2010-03-03 19:01:41

While you do have a point, I think the real issue here is enforcing stupid arbitrary maximum password lengths. For example, I won't use a password any shorter than 10 characters. Assuming I only use letters, my password is only one possibility out of a minimum of 52^10 (or 144,555,105,949,057,024 (that's 144 quadrillion), assuming a mix of upper- and lower-case letters). By restricting me to only 8 characters, my total possibilities are reduced to a maximum of 52^8, or 53,459,728,531,456 (or 53 trillion, ignoring valid passwords of six or seven characters). That's an entire order of magnitude, and with disk space being so cheap and abundant (and passwords requiring so little space to store) it seems criminal to me to impose arbitrary limits like this.

But I digress; you do have a valid point in terms of brute-forcing-- this method does indeed thwart dictionary-type attacks.

CrossFyre 2010-03-04 02:26:15

Something else you probably should think about it the extra possibilities a forced number imposes - that's an extra 10 CHARACTERS to cycle through per space. So, for example, in an 6 character password, if you were only to use lower case there would be 308,915,776 (26^6) lower and upper case is a whopping 19,770,609,664 (52^6). Then, adding the number requirement as well - 56,800,235,584 (62^6).

Adding in number drastically INCREASES the difficulty of cracking a password, because the hackers don't know if there's just 1 number or more. Assuming the hacker knows this seems a bit strange, because if they did, they probably wouldn't have to brute the whole thing anyway.

Also, in the case of users simply adding a 1 to the end of the password, that too is a good thing. It may be simple to guess, but it ads another whole POWER of digits (along with an extra 10 characters) that the hacker must cycle through.

So, no, in the case of brute forcing (and, really, any other type of hacking), it makes the cracking much more difficult when there is a forced number present.

CrossFyre 2010-03-04 23:12:42

But on a website where the number is not forced, the hacker will not use numbers to crack passwords, because there will be an abundance of accounts that will not use them. This will make their hacking much, much easier.

There the hackers can choose to create a cycle using only 26 characters, a system which they can practically fly through in comparison.

By making sure they know they'll need the full 62 cycle, that's going to hurt them. In the case of a dictionary, they can indeed throw out a number of options, but that is worse for them because they have a much lower chance of guessing.

So I do see what you're saying, with hackers who don't cycle through the full characters being less likely to hack well protected accounts, but it also gives them a huge amount of other, weaker accounts to break down. In the case of having forced numbers, though, accounts are almost equally protects (not counting length, cases, and difficulty of passwords).

Yes, the hackers will start with the full array to search with, meaning they'll find a password quicker than cycling through all letters and then all letters and numbers, but that's just ridiculous. The chances of a hacker being that stupid are much smaller than them getting into a poorly protected account with a readily available 26 character cycle.