Security Basics mailing list archives
RE: UNIX password auditing tool and the search for dictionaries too
From: "Tim Heagarty" <tim () heagarty com>
Date: Mon, 11 Aug 2003 09:27:41 -0700
Please pardon me if this has already been covered in this thread, I didn't see the earlier posts on the subject. First the PIN algorithm is widely known and there really is no need for much of a PIN cracker program. Like DES the algorithm is published but the keys are kept secret. If an institution uses a simplistic key, which some do, then it is trivial to derive the natural PIN. However most systems don't use the natural PIN but create an offset that is mod 10 added to the natural PIN to create the number that you remember and don't write down anywhere. Bruteforce is handled in one of two ways on almost all ATM systems. On a "track 3 write" system the PIN retry count is decremented and written onto the card so it counts down and when it hits 0 the bank has the option to perform a card retain or just give it back to you with instructions to go into the bank and take care of the problem. The second method simply records the retry count at the host and the same retain/return decision is made when the retry count is exceeded. Either way there is no bruteforce available beyond three tries. Now if you have a card writer and can keep resetting the retry count or bump it up to 99 to start with you have a slightly greater advantage. You have to properly calculate the LRC on the card too without fudging up the data and having the modified card retained on the first insertion. Thank you, Tim Heagarty CISSP, MCSE Tim at TheaSecure dot com http://www.TheaSecure.com/ "There are only 10 kinds of people in the world, those that understand binary, and those that don't."
-----Original Message----- From: Tomas Wolf [mailto:tomas () skip cz] Sent: Saturday, August 09, 2003 4:04 AM To: Michael Martinez Cc: security-basics () securityfocus com Subject: RE: UNIX password auditing tool and the search for dictionaries too I would like to note a little about the security of 4 digit pin... I believe that author wanted to point out that thanks to the fact, that you can't try the 4 digit number more than three times at a time - which makes it a pretty strong system, not that 4 digit is a strong password. Of course who has the time, can go from ATM to ATM and try two passwords at the time to bruteforce it, but that is almost impossible to achieve (since anybody responsible who looses any type of financial card usualy reports it the same day). We have four digits with possible ten variants = 10 on the fourth power = 10.000 possibilities that is (divided by two tries per card insertion) 5.000 maximum tries, which gives us 2.500 average tries to get the right pin (approx. 1.250 card insertion of two tries)... And let's get the theory little further, let say that each insertion takes 15 seconds, that is 1.250x15 = 18.750 second = 312.5 minutes = 5.208~ hrs. of actuall interaction with ATM... Well maybe for a student :-) I believe that security is always a trade off. To have top noch security one has to count with a lot of expenses with training people to understand and use the craft of security. Not many end users a willing to authenticate more than one time, they need to work and not to worry about IT stuff, that is why we are here, or am I wrong? But there is always more, isn't there? :-) Good luck to you all... TomasBefore you go too far with strong passwords, remember, they do moreharmthan good in most cases. You trust your money to a fourdigit pin sothink about strong authentication, not strong passwords.Two factorcan be done with a variety of inexpensive technologies.Are you kidding me, you are under the impression that a 4digit pin issecure? I for one have no illusions about how insecure a 4digit pinactually is! Whatever security is provided by said 4 digit pin is more related to that fact that there are not freely available pin cracking tools for ATM machines...as there are password cracking tools.Strong passwords are the number one source of denial of service in most environments due to the frequent false reject problem that occurs when users can't keep up with frequent changes and strong password. They're also one of the highest costs for security since it's the number one task for help desks and sys admins to support.As a help desk supervisor, I assure you that the relatedcost of timeand money supporting the reset of passwords is minimal andtherefore asmall price to pay for increased security. ...In terms of dictionaries, I think the aggressive approach would include concatenations and number and special character injections into the words. In more secure environments, were usersare batteredwithmonthlypassword changes they usually inject the numeric value forthe monthsomewhere in a common word. But the point is, it's not toodifficultto build a really big database of words with special character and numeric injections, run them through the hash algorithm and have a table to check for matches.If someone were in an environment where they must change their password monthly...they are probably using the wrong technology. Perhaps a combination of different layers would be a bettersolutionto monthly changes. ... -----Original Message----- From: Shane Lahey [mailto:s.lahey () roadrunner nf net] Sent: Monday, August 04, 2003 7:38 PM To: james.easterling () ed gov; security-basics () securityfocus com Subject: RE: UNIX password auditing tool Alec Muffett Crack :: http://www.crypticide.org/users/alecm/-----Original Message----- From: james.easterling () ed gov [mailto:james.easterling () ed gov] Sent: Monday, August 04, 2003 4:39 PM To: security-basics () securityfocus com Subject: UNIX password auditing tool I have tried searches for UNIX password cracking tools and I have comeupwith little value. Can someone direct me to passwdauditing toolsbesides "John The Ripper" that are free or cost? Regards, James------------------------------------------------------------------------ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- ----------------------------------------------------------------- -------------------------------------------------------------------------------------- ----------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: UNIX password auditing tool and the search for dictionaries too kenkousky (Aug 07)
- RE: UNIX password auditing tool and the search for dictionaries too Michael Martinez (Aug 07)
- Re: UNIX password auditing tool and the search for dictionaries too Adam Newhard (Aug 08)
- more on strong passwords - a reply kenkousky (Aug 08)
- RE: UNIX password auditing tool and the search for dictionaries too Nick Owen (Aug 13)
- Re: UNIX password auditing tool and the search for dictionaries too Adam Newhard (Aug 08)
- <Possible follow-ups>
- RE: UNIX password auditing tool and the search for dictionaries too Tomas Wolf (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Tim Heagarty (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Mike Dresser (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Michael Martinez (Aug 07)