Home page logo

pen-test logo Penetration Testing mailing list archives

Re: looking for a webapp bruteforce video for non-techies
From: "Robin Wood" <dninja () gmail com>
Date: Tue, 3 Jun 2008 17:08:02 +0100

2008/6/3 Martin O'Neal <martin.oneal () corsaire com>:

It didn't help that the password was only 5

That may not actually be such a bad password (on balance and in
context).  Sure it is a dictionary/leet word variant, but five
characters actually carry plenty of entropy (if mixed case and numerics
are also used).  However, if you have an authentication mechanism that
doesn't lock out an account and *allows* brute forcing, it doesn't
really matter how strong the password is; given enough
universe-lifetimes an attacker will always guess it eventually.

Trust me, it is a VERY bad password in these circumstances!


This list is sponsored by: Cenzic

Top 5 Common Mistakes 
in Securing Web Applications  
Find out now! Get Webinar Recording and PPT Slides


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]