Herbert Xu wrote:
>On Wed, Jul 23, 2003 at 03:35:05AM -0700, David S. Miller wrote:
>> If I know your password is 7 characters I have a smaller
>> space of passwords to search to just brute-force it.
>
>It's much smaller if you didn't know that it was at most 7 characters
>long.
Yes, if I know I want to attack David Miller's password,
and I'm going to keep trying until I succeed, then knowing
the length of his password doesn't help much. However, if
I'm on a multi-user system and I just want to crack any
password for any one of the users on that system, then
knowing the lengths of passwords does help, because I can
focus my effort on those users with the shortest passwords.
Thus, revealing password lengths might heighten the risk of
password guessing (even if only by a small factor).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jul 23 2003 - 22:00:49 EST