[Cryptography] Passwords (Smallest feasible work factor today?)

Phillip Hallam-Baker phill at hallambaker.com
Thu Sep 8 21:21:12 EDT 2022


On Wed, Sep 7, 2022 at 5:26 PM Kent Borg <kentborg at borg.org> wrote:

> On 9/7/22 14:07, Phillip Hallam-Baker wrote:
>
> If rate limits are an acceptable control, there would have never been the
> need to introduce the stupid special characters in the first place. If
> Mallet is limited to 5 tries in an hour, Alice could use a simple password
> with little risk.
>
> I think there are decent arguments that all those password format rules
> *are* pointless. Though I do grudgingly admire them as a way make it a
> little more difficult to recycle passwords, as a password that satisfies
> one set of rules often doesn't satisfy the next set.
>
> My ATM card has a 4-digit PIN. Certainly the PIN isn't the only security
> measure in play, but as part of the larger system can work quite well.
> Somewhat smaller than 2^80, too.
>
The PIN is not the primary authentication factor, the card is. The PIN is
merely a secondary factor to reinforce the first. So it doesn't have to be
2^80 secure.

Now in the US, the card is not much of an authenticator as the information
on the strip is easily guessed for many banks. But France has had smart
cards for ATM cards for decades.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220908/7dd0dd7e/attachment.htm>


More information about the cryptography mailing list