[cap-talk] password capability length
coderman
coderman at gmail.com
Tue Jan 3 19:55:01 EST 2006
On 1/3/06, Neal H. Walfield <neal at walfield.org> wrote:
> ...
> I'm relatively convinced that password capabilities are the wrong
> approach but I want to more strongly justify the decision that a
> protected capability system is the right approach.
from the purely practical aspect of things you can demonstrate the
weakness of poor passwords using rainbow tables (for attack able
digest/salt methods) and dictionary attacks on a distributed network.
this may be pursued offline and does not require continuous access to
the target/host for certain types of password authentication.
for situations where you want to make recovery of password difficult
even with compromised servers and other attack methods you might look
at password authenticated key agreement mechanisms with strong
password protection:
http://en.wikipedia.org/wiki/Password-authenticated_key_agreement
More information about the cap-talk
mailing list