Re: [dev] [PATCH] [ubase] Simplify login

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Markus Teich <markus.teich_AT_stusta.mhn.de>
Date: Wed, 4 Jun 2014 17:46:40 +0200

Heyho,

FRIGN wrote:
> In which way is a /etc/passwd with hundreds of users less secure than a
> smaller one? Do many hashes in one place magically reduce the overall
> security?

Not precisely. But if you have a large amount of users, the probability that one
of them chose a weak common password is higher than for a small set of users.

Say you want to check your u users against the n most common passwords. Let p be
the probability for a user choosing one of the n passwords. Then you have at
least one user with a weak password with a probability of:

1 - (1-p)^u

So with u growing linearly, you have linearly more work to check all users
against the n passwords (assume a unique salt value per user), but exponentially
growing probability of finding a match.

So for systems with large user counts it is easier to find a user with a weak
password, but it does not influence your user account at all if you use a strong
(strong = password is not one of the n most common ones) password.

--Markus
Received on Wed Jun 04 2014 - 17:46:40 CEST

This archive was generated by hypermail 2.3.0 : Wed Jun 04 2014 - 17:48:11 CEST