RE: UNIX password auditing tool and the search for dictionaries too

["Tomas Wolf" <tomas () skip cz>]

I would like to note a little about the security of 4 digit pin... I believe that author wanted to point out that 
thanks to the fact, that you can't try the 4 digit number more than three times at a time - which makes it a pretty 
strong system, not that 4 digit is a strong password.
Of course who has the time, can go from ATM to ATM and try two passwords at the time to bruteforce it, but that is 
almost impossible to achieve (since anybody responsible who looses any type of financial card usualy reports it the 
same day). We have four digits with possible ten variants = 10 on the fourth power = 10.000 possibilities that is 
(divided by two tries per card insertion) 5.000 maximum tries, which gives us 2.500 average tries to get the right pin 
(approx. 1.250 card insertion of two tries)... And let's get the theory little further, let say that each insertion 
takes 15 seconds, that is 1.250x15 =  18.750 second = 312.5 minutes = 5.208~ hrs. of actuall interaction with ATM... 
Well maybe for a student :-)
I believe that security is always a trade off. To have top noch security one has to count with a lot of expenses with 
training people to understand and use the craft of security. Not many end users a willing to authenticate more than one 
time, they need to work and not to worry about IT stuff, that is why we are here, or am I wrong?
But there is always more, isn't there? :-)

Good luck to you all...
Tomas


> > Before you go too far with strong passwords, remember, they do more
> harm
> > than good in most cases. You trust your money to a four digit pin so
> > think about strong authentication, not strong passwords. Two factor can
> > be done with a variety of inexpensive technologies.
>
> Are you kidding me, you are under the impression that a 4 digit pin is
> secure?  I for one have no illusions about how insecure a 4 digit pin
> actually is!  Whatever security is provided by said 4 digit pin is more
> related to that fact that there are not freely available pin cracking
> tools for ATM machines...as there are password cracking tools.
>
> > Strong passwords are the number one source of denial of service in most
> > environments due to the frequent false reject problem that occurs when
> > users can't keep up with frequent changes and strong password. They're
> > also one of the highest costs for security since it's the number one
> > task for help desks and sys admins to support.
>
> As a help desk supervisor, I assure you that the related cost of time
> and money supporting the reset of passwords is minimal and therefore a
> small price to pay for increased security.
>
> ...
>
> > In terms of dictionaries, I think the aggressive approach would include
> > concatenations and number and special character injections into the
> > words. In more secure environments, were users are battered with
> monthly
> > password changes they usually inject the numeric value for the month
> > somewhere in a common word. But the point is, it's not too difficult to
> > build a really big database of words with special character and numeric
> > injections, run them through the hash algorithm and have a table to
> > check for matches.
>
> If someone were in an environment where they must change their password
> monthly...they are probably using the wrong technology.  Perhaps a
> combination of different layers would be a better solution to monthly
> changes.
>
> ...
>
> -----Original Message-----
> From: Shane Lahey [mailto:s.lahey () roadrunner nf net]
> Sent: Monday, August 04, 2003 7:38 PM
> To: james.easterling () ed gov; security-basics () securityfocus com
> Subject: RE: UNIX password auditing tool
>
> Alec Muffett Crack :: http://www.crypticide.org/users/alecm/
>
> > -----Original Message-----
> > From: james.easterling () ed gov [mailto:james.easterling () ed gov]
> > Sent: Monday, August 04, 2003 4:39 PM
> > To: security-basics () securityfocus com
> > Subject: UNIX password auditing tool
> >
> >
> >
> > I have tried searches for UNIX password cracking tools and I have come
> up
> > with little value.  Can someone direct me to passwd auditing tools
> > besides "John The Ripper" that are free or cost?
> >
> > Regards,
> > James
> ------------------------------------------------------------------------
> --
> > -
> ------------------------------------------------------------------------
> --
> > --
>
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ----
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ----
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------