RE: UNIX password auditing tool and the search for dictionaries too

["kenkousky" <kkousky () ip3inc com>]

Before you go too far with strong passwords, remember, they do more harm
than good in most cases. You trust your money to a four digit pin so
think about strong authentication, not strong passwords. Two factor can
be done with a variety of inexpensive technologies.

Strong passwords are the number one source of denial of service in most
environments due to the frequent false reject problem that occurs when
users can't keep up with frequent changes and strong password. They're
also one of the highest costs for security since it's the number one
task for help desks and sys admins to support.

It's important to understand that most password attacks are not cracking
the password encryption or hashes. In fact, that's still a very
difficult task. The common password exploit on weak passwords is to run
a large dictionary through the selected hash algorithm and then simple
look up the captured hash values in the dictionary. 

A recent U of M exploit was a simple, inline keystroke logger. For the
social engineer or thief, most desktops come with files on the desktop
of passwords - beats the old post-it-note problem since most users
simply have too many passwords for a single sheet of paper to work.

The problem with weak passwords is mostly about using a weak
handshaking, passing simple hashes rather than well encrypted passwords
and keeping hash values accessible. 

In terms of dictionaries, I think the aggressive approach would include
concatenations and number and special character injections into the
words. In more secure environments, were users are battered with monthly
password changes they usually inject the numeric value for the month
somewhere in a common word. But the point is, it's not too difficult to
build a really big database of words with special character and numeric
injections, run them through the hash algorithm and have a table to
check for matches.

Dictionaries should also be modified for upper and lower case
variations.


I'd like to hear from others about the password vulnerabilities they're
seeing in non NT server environments.

"strong passwords are an oxymoron"

KWK

-----Original Message-----
From: Shane Lahey [mailto:s.lahey () roadrunner nf net] 
Sent: Monday, August 04, 2003 7:38 PM
To: james.easterling () ed gov; security-basics () securityfocus com
Subject: RE: UNIX password auditing tool

Alec Muffett Crack :: http://www.crypticide.org/users/alecm/

> -----Original Message-----
> From: james.easterling () ed gov [mailto:james.easterling () ed gov]
> Sent: Monday, August 04, 2003 4:39 PM
> To: security-basics () securityfocus com
> Subject: UNIX password auditing tool
>
>
>
> I have tried searches for UNIX password cracking tools and I have come
up
> with little value.  Can someone direct me to passwd auditing tools
> besides "John The Ripper" that are free or cost?
>
> Regards,
> James
------------------------------------------------------------------------
--
> -
------------------------------------------------------------------------
--
> --



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------