Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Password
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Rate at which an attacker can try guessed passwords=== The rate at which an attacker can submit guessed passwords to the system is a key factor in determining system security. Some systems impose a time-out of several seconds after a small number (e.g., three) of failed password entry attempts, also known as throttling.<ref name="NIST-SP-800-63-3" /> {{rp|63B Sec 5.2.2}} In the absence of other vulnerabilities, such systems can be effectively secure with relatively simple passwords if they have been well chosen and are not easily guessed.<ref>Stuart Brown {{cite web |url=http://www.modernlifeisrubbish.co.uk/top-10-most-common-passwords.asp |title=Top ten passwords used in the United Kingdom |access-date=14 August 2007 |url-status=dead |archive-url=https://web.archive.org/web/20061108094949/http://www.modernlifeisrubbish.co.uk/top-10-most-common-passwords.asp |archive-date=8 November 2006 }}. Modernlifeisrubbish.co.uk (26 May 2006). Retrieved on 2012-05-20.</ref> Many systems store a [[Cryptographic hash function|cryptographic hash]] of the password. If an attacker gets access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. In the example of a web-server, an online attacker can guess only at the rate at which the server will respond, while an off-line attacker (who gains access to the file) can guess at a rate limited only by the hardware on which the attack is running and the strength of the algorithm used to create the hash. Passwords that are used to generate cryptographic keys (e.g., for [[disk encryption]] or [[Wi-Fi]] security) can also be subjected to high rate guessing, known as [[password cracking]]. Lists of common passwords are widely available and can make password attacks efficient. Security in such situations depends on using passwords or passphrases of adequate complexity, making such an attack computationally infeasible for the attacker. Some systems, such as [[Pretty Good Privacy|PGP]] and [[Wi-Fi Protected Access|Wi-Fi WPA]], apply a computation-intensive hash to the password to slow such attacks, in a technique known as [[key stretching]].
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)