pkinit and passwords issues

[Jeffrey Altman]

On 2/16/2010 5:20 AM, Sam Hartman wrote:
>>>>>> "Jeffrey" == Jeffrey Altman <jaltman at secure-endpoints.com> writes:
>
>     >> 2) There is no valid password.  In which, the password should not
>     >> be set to expire.
>
>     Jeffrey> Setting a random password and setting it to never expire
>     Jeffrey> results in there being a password that can be brute forced
>     Jeffrey> over a long period of time and used as a backdoor.  It
>     Jeffrey> would be much better if a property on the principal simply
>     Jeffrey> indicated "no password authentication permitted" and be
>     Jeffrey> done with it.
>
>
> Jeff, I completely agree with you that such a property would be
> desirable.  we don't currently have it.  I definitely think it would be
> a step forward.
>
> I'm not really convinced that the brute force concern is valid for AES,
> 3DES or RC4.  I agree it is a significant concern for DES.
>
> --Sam

RC4 or AES only provides additional strength against attacks that assume
all passwords are of
equal strength.  Studies by Google and others of the passwords selected
by their user base show
that the vast majority of users select passwords out of a very small
subset of the possible values.
A brute force attack using dictionaries is (in my opinion) a very real
concern regardless of the
enctype.

Jeffrey Altman