|
You're right that if you use a simple, or even complex algorithm to generate a "key" or password, and have enough of these generated passwords, a good cracker can figure out the system.
But the hing is with security is that anything is breakable, it's just how hard, time consuming and expensive it is to crack. Kind of like car thieves, they go for easy targets, they don't want to stand outside a car for hours pondering ways to get in. It's it's not easy, they will move on.
So if I have your user name, and you have a 4 digit password, it only takes a standard computer a few minutes, if that, to run *every* possible 4 letter password that could exist. a, b, aa, bb, ab, and so on. If you add Capital letters and numbers, the possibilities are more.
However if you're looking at an 8 or 9 digit password, we're talking days to figure it out, and probably impossible through a web form without getting all your proxies blocked.
If you don't like the idea of randomly generating passwords, I'd suggest just forcing them to make it at least 8 characters long, and have a capital letter and number in it.
More of you should use Strongbox, it sounds like this guy knows what he's doing, and while form based attempts are indeed crackable, you're again cutting down the number of people willing to put in the time. Most password crackers have very little knowledge of this stuff, they're not the same people that are going to break in, deshadow your password file or decrypt your forced passsword algo.. They're probably 15 year old kids playing with a password cracking windows program and some proxies.
|