[Cryptography] Possible reason why password usage rules are such a mess

[Sid Spry]

On Thu, Nov 19, 2020, at 4:46 AM, Phillip Hallam-Baker wrote:
> 
> 
> On Wed, Nov 18, 2020 at 12:04 PM Kent Borg <kentborg at borg.org> wrote:
> > On 11/17/20 1:09 PM, Phillip Hallam-Baker wrote:
> >> Some of the password stupidity we suffer from today comes from the two weeks after the release of Crack. At the time, UNIX password files were world readable by default and anyone suggesting shadow password files was the way to go was attacked for 'security through security'. Crack upped the ante because it could make 6? 60? attempts a second and so a moderate sized cluster of SPARCstations could test every password in a million entry dictionary in a weekend. 
> > But readable password hashes have gone away. Passwords are only readable on systems that are already quite broken. (Any old Unix systems still running are quite broken.) To set password policy based this case is all wrong.
> 
> Password cracking doesn't use dictionaries any more... brute force is practical.
> 

It does use dictionary files, they're created by collecting leaked password
databases. This serves two purposes: login attempts can be done from the
dictionary file with some chance of success, and reversing a properly salted
password database is only feasible with such a dictionary.

Brute force in the strictest sense isn't usually tractable.