Main > Everything Else
Captcha
shmokes:
That's intereesting, but definitely doesn't apply to the typical captchas people see where there are two words, one of which is gibberish. Think about it, from what books are they getting these gibberish words? They're not words. Real books contain real words. It makes no sense that when the distorted-almost-beyond-recognition word is "nraljeck" it is coming from a scan of a print book that Google is digitizing. Cos no print books in the world contain the word "nraljeck".
ChadTower:
--- Quote from: shmokes on September 01, 2011, 10:14:41 am ---That's intereesting, but definitely doesn't apply to the typical captchas people see where there are two words, one of which is gibberish. Think about it, from what books are they getting these gibberish words? They're not words. Real books contain real words. It makes no sense that when the distorted-almost-beyond-recognition word is "nraljeck" it is coming from a scan of a print book that Google is digitizing. Cos no print books in the world contain the word "nraljeck".
--- End quote ---
You are assuming every captcha served would be coming from a book. If you have millions being served every day it would work best if only a certain percentage were coming from books and the rest are gibberish. That's better security and is still accomplishing the data entry goal.
shmokes:
--- Quote from: ChadTower on September 01, 2011, 10:25:39 am ---
--- Quote from: shmokes on September 01, 2011, 10:14:41 am ---That's intereesting, but definitely doesn't apply to the typical captchas people see where there are two words, one of which is gibberish. Think about it, from what books are they getting these gibberish words? They're not words. Real books contain real words. It makes no sense that when the distorted-almost-beyond-recognition word is "nraljeck" it is coming from a scan of a print book that Google is digitizing. Cos no print books in the world contain the word "nraljeck".
--- End quote ---
You are assuming every captcha served would be coming from a book. If you have millions being served every day it would work best if only a certain percentage were coming from books and the rest are gibberish. That's better security and is still accomplishing the data entry goal.
--- End quote ---
Maybe. But that still doesn't account for the fact that it didn't work. Both the easier and the more difficult words need to be entered correctly. Otherwise there wouldn't be so much frustration stemming from failing captchas.
And that comic is great. I sent a super long diatribe to the dean and the IT director of my university for their absurd password policy, explaining how ridiculous it was. The response was more or less, "It is important that we keep up with industry standards."
As ridiculous as that comic paints the powers that be, it's not even taking into consideration the reality of account lockouts. It's pretty damned hard to make 1000 guesses per second when three wrong guesses triggers a 12 or 24 (or even 1) hour lockout. Essentially if a password for a system with account lockout isn't in the dictionary, it is effectively impervious to a brute force attack. Full stop.
edit: spelling, grammar (typed on a touchscreen)
ChadTower:
--- Quote from: shmokes on September 01, 2011, 10:09:02 pm ---As ridiculous as that comic paints the powers that be, it's not even taking into consideration the reality of account lockouts. It's pretty damned hard to make 1000 guesses per second when three wrong guesses triggers a 12 or 24 (or even 1) hour lockout. Essentially if a password for a system with account lockout isn't in the dictionary, it is effectively impervious to a brute force attack. Full stop.
--- End quote ---
That only accounts for user interface challenges. Every enterprise system has a whole lot of other challenges that have no lockout on them. Besides, the whole point is to probe for weaknesses, not to keep hammering away at a single entry point. If one locks out, find, check another. There are only about 1000 entry points into the average small commercial LAN.
shmokes:
Sure, but progressively requiring more and more and more and more complex passwords targets the one entry point we're talking about. Of course you have to worry about someone going to the website and using a buffer overflow or something to force their way in, but forcing at least 8 characters with at least one capital letter that's not the first character, plus at least one symbol, plus at least one number, and then requiring the user to choose a new such password every three months, seems to be almost exclusively aimed at brute force attacks.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version