"Brett L. Hawn" <blh@nol.net> wrote: >You can lead a user to a good password but you can only make them use it for >so long. Is this not desirable? The longer they keep that good password, the worse it gets. Make them choose another good password! >Not to mention anyone with the time and desire can create a fairly >nifty 'dictfile' like I did a few years back. All it takes is some simple >brain power and a LOT of disk space, a quick file that prints all variations >of 5-8 charater length combinations to a file. I stopped mine at 238megs and >it was still going strong. When talking in terms of attacking a daemon across a relatively low-bandwidth network (as we were), a dictionary attack on 238Mb of passwords is a) going to take a long time and b) hopefully won't go unnoticed. Agreed, if you have the encrypted passwords locally and have plenty of CPU time to spare, knock yourself out. If someone *really* wants to crack a publically accessible account on your system they will, but this implies a finely targetted attack. Most attackers will ask themselves the question "Where can I get in easily?" rather than "How do I get in here?" >Brett Shaun. -- Shaun Lowry | March Systems Ltd., http://www.march.co.uk/ PGP Key available | 14 Brewery Court, High St., from key servers or | Theale, UK. RG7 5AJ via e-mail on request | +44 1734 304224