Okay, when talking about password length/complexity requirements here the focus seems to be website accounts as these appear to be the most likely source of compromise. Am I correct in assuming that the same level of length/complexity would not be required for things like Windows/Active Directory accounts as they are (I'm guessing here) not likely to be open to this type of compromise. What about things like Wi-Fi passwords?
Active Directory passwords should have a high level of complexity if you care about what your password is protecting. There are several ways to extract the hashed passwords from the Domain Controller.
I spent some quality time as a wireless pentester -- it was one of the more enjoyable ways of making money I've ever found. The two most common ways of securing home networks are:
WEP -- In my opinion, WEP is worse than no security whatsoever, as it leads you into thinking that your network might be secure. In the field I have repeatedly cracked WEP keys in about two minutes.
WPA/WPA2 (PSK, Pre Shared Key, or "Personal") -- Here, password length and complexity are critically important, as WPA and WPA2 are subject to brute force attacks. Weak passwords will fall, strong passwords are unlikely to be.
For corporate networks, there are a whole mess of wireless security protocols. Some are better than others. WPA2-Enterprise uses 802.1X and is pretty hard to crack. However, unless the corporate network is running wireless intrusion prevention, there's a straightforward way of attacking it by setting up your own wireless access point and stealing authentication credentials from users.
Previous Topic
Index
