Astro wrote:
This sounds good for the investigator, bad for the one who is trying to secure his data. Well, the real issue is not usually getting the RAW data, but rather to decrypt it.
Actually you posed your questions in a (IMHO) very correct way, the analysis of costs vs. benefits (and nuisance to the users). <img src="images/smiles/icon_biggrin.gif" alt="Very Happy" title="Very Happy" />
The link you gave for "times" needed are (understandably) very "variable", and "generic".
You should be looking more in the theory (before getting back to practice).
Generally speaking, i.e. not limited to brute-forcing, what is relevant is the entropy of the password:
http://en.wikipedia.org/wiki/Password_strength
http://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_measure_of_password_strength
If you check the above you will see how (example) a "common password", case insensitive allphanumeric, rather surprisingly does not get a much better entropy if you add CaSe SeNsItIvEnEsS.
You may want to think a bit about the considerations made here (besides the quick laugh <img src="images/smiles/icon_wink.gif" alt="Wink" title="Wink" /> ):
http://xkcd.com/936/
Some further (personal) considerations are made here:
http://reboot.pro/topic/18110-ridiculous-password-rules/
Reboot.pro has some issues lately, if it doesn't load don't worry and try later)
References in the above are to these two (IMHO interesting) blog posts:
http://blogs.securiteam.com/index.php/archives/1068
http://blogs.securiteam.com/index.php/archives/1906
jaclaz
↧