[Info-vax] password strength (Re: VMS humor)
Tad Winters
tad.vms at gmx.com
Fri Jan 1 12:01:18 EST 2021
On 1/1/2021 7:33 AM, Craig A. Berry via Info-vax wrote:
<<snip>>
>> Also most attacks against a compromised authorization file start with
>> a giant database of previously-obtained password hits under the
>> theory that there might be user overlap with a previously-compromised
>> account and that people are lazy.
>
> All the more reason to have people make up their own phrase or short
> sentence of nonsense that will be memorable to them but unlikely to
> appear in one of these databases.
This is a very theoretical discussion, but when we consider the LGI_
system parameters in VMS, "password evasion" can increase incredibly the
amount of time it would take before any attack would find success.
I adjusted one employer's LGI_ system parameters so that 5 failed
attempts in a 5 minute period resulted in "password evasion" until 30
minutes of no login attempts had elapsed. (I might have set that first
time period to be 10 minutes. That was more than 20 years ago.) That
would mean an attacker would have to make just 4 attempts in any 5
minute period in order to keep up these attempts.
- Tad
More information about the Info-vax
mailing list