On 10/10/2012 08:23 AM, Jaikiran Pai wrote:
I never have
understood this specific requirement of passwords being forced to be of
certain type (many sites do it).
The reason for the requirement is to reduce the effectiveness of
dictionary based attacks by stopping the users from using commonly used
words for their password.
For Digest authentication which we are using by default the password is
not transmitted in the clear - however a hash is transmitted and apart
from the password used to generate the hash the rest of the information
used to generate the hash is also visible.
At this point if you want to discover the users password you can try
brute force regenerating the hashes by trying out one candidate password
after another - passwords could be anything so this is a big task,
however if most users are just going to pick a normal word or a name or
something common like that you have a much smaller sample to use to
discover their password by trying each entry in the smaller sample.
This brute force discovery of a password occurs offline and only
requires the hashes from the captured packets so we can't detect that it
is happening so instead a policy is in place to ensure more complex
passwords are chosen - this way the brute force discovery has a much
larger sample of passwords.
Ideally SSL/TLS would still be enabled for these connections which would
prevent even the hashes being seen but compared to BASIC authentication
where capturing one packet gets you the users password this is a step up
as an intermediate step.
I'm not a security expert, but is this "your password has to
case, lower case, digit, special char" requirement really worth it in a
jboss-as7-dev mailing list