It has if it was an administrator's account.
We're not talking about administrator accounts, we're talking about the general user base. If the admins choose to have a password like "123" then there's really no point having passwords at all. So there's a crux - make any account that has admin privileges have password rules.
For important things like banking, it would be inexcusable to say "well they only got into one account so it's ok."
They got into one account, that had the password "123", make a public statement that if you don't want to be hacked, don't use a crass password! It's just common sense. Besides we're not talking about banking, we're talking about things like the GMC :D
You're assuming the hacker is trying to break into a specific account. Suppose they have a long list of usernames and are just trying to crack one account. All they need is 1 of those 2000 to have a simple enough password, you know it wouldn't even take 2000 users to find one.
Ok, but then what? They still only have access to that one account. And unless it's a high value account, it's really pointless.
My numbers were based on data other sites have compiled about how quickly brute-force attacks can be carried out. I assume that they were also not taking into account network speeds. The actual numbers are not super important to the point, as I'm just trying to demonstrate a principle.
So in a completely theoretical situation, where basic security and bandwidth does not exist, a password can be brute force hacked in under 2 minutes? Why don't we just add that the hacker happens to be looking over the shoulder of the account holder too?
Network speed is a huge factor to take into account, not to mention any kind of account lock that sees a bunch of logins from unknown sources, that all tried the password to the max limit before a capacha was shown, and also happened to get every single attempt wrong. Where did this data come from?
we're just talking about the effect password restrictions have on security; other factors are not considered.
Also, you're assuming that a login system wouldn't just stop you from trying that password after even 50 consecutive failed password attempts in the same microsecond.
I think we should be taking other factors into consideration, especially since they have such a large impact. Having a mechanism that blocks your ip for an exponential amount of time after say 10 consecutive failed passwords would stop ANY brute force attack.
Even if said hacker hijacked 2000 computers to all pry from different IPs, the account could go into lockdown mode, and only let the IP address on file be allowed to sign in. Maybe even a nice little warning message that says "Your account is receiving pressure" next time the real owner logs in.
I meant any password-restricted file which is accessible without network transfer.
I thought we were talking about website logins lol.
the relative values remains the same. 95,428,956,661,682,176 / 208,827,064,576 = 456,976x as long to crack a 12 char password as compared to an 8-digit. That's the important part.
I disagree. It doesn't matter if it takes 200 tries or 3 billion tries to crack a password if the system stops you at 10 failed attempts.
I set it up to explain why they are requirements and how they do in fact increase security as they're supposed to...
Sure, it increases security! As would requiring direct permission from a third party via phone call to access your house without setting off your alarm. But another important factor you have to take into account here, is convenience.
You have to include a minimum password length or some passwords are bound to be vulnerable to brute-force attacks.
So what if they are? There will always be people who take those risks, despite what precautions are put in place to stop them. So really it's just inconveniencing those that use the system properly, to sort out people who don't care.
Perhaps a solution to this problem would be to educate people on how passwords can be cracked. From this information, people can make their own intelligent decisions on what passwords to use. So if they use what they know is a weak password, they made that decision themselves, and are aware of it.
Edited by Lindion45, 07 December 2015 - 01:11 AM.