Security Basics mailing list archives
Re: Password Cracking
From: GuidoZ <uberguidoz () gmail com>
Date: Mon, 13 Sep 2004 12:43:57 -0400
A very good (and correct) observation Andy. I've also run into the same problems, even with smaller user bases. As long as you have a user, you'll likely run into such a problem. In fact, due to this reason, I mentioned what I did in my last paragraph. There are ways to turn easy to remember passwords into more secure passwords, and all the user has to remember is a simple swap. Suddenly a password that is easy to guess becomes a strong password. Most people can remember a date/name, and combining multiples of such can make for good passwords as well. Say you have 3 cats with the names Snowball, Pepper, and Bob. Make your password like "Snowball1Pepper2Bob3" or something to that effect. It's easy for the person to remember, yet would be difficult for someone to guess. Or, combine your pet's name with a birthday/anniversary. (Like SnowballOctober10,1977) It will add a cushion to the password, making it harder to guess. (Much like adding salt to an MD5 hash will help mask it.) I've found this to be quite useful in helping users to remember their passwords, as well as keeping the ever lolvely "post-it note on the monitor with the password" at bay... -- Peace. ~G On Mon, 13 Sep 2004 15:50:16 +0100, Andrew Shore <andrew.shore () holistecs com> wrote:
I think one issue that is being over looked here is the networks weakest point, the users. I have worked for many large (in terms of user base) companies and the biggest problem is to first explain how to create a complex password and the second is to get them to remember it. When ever I have tried to get strong passwords into an organisation the first problem is the huge increase in users calling the helpdesk because they've forgotten the password, with all the identification issues that generates. Then there is the scrap of paper under the keyboard because the new passwords are "too hard" If you work in a very secure environment you have to use some form of strong authentication, probably a two factor solution, but this can not be rolled out for the masses (cost!) So a line has to be drawn. I don't have the answer but I know from bitter experience the costs of tying down general user passwords too far. Just my 2 cents Andy -----Original Message----- From: Über GuidoZ [mailto:uberguidoz () gmail com] Sent: 11 September 2004 19:30 To: Teo Gomez Cc: Andrew Shore; Simon Zuckerbraun; security-basics () securityfocus com Subject: Re: Password Cracking While it's true that "October10,1977" is a strong password by most rules, I'd beg to differ that it is a good password. Due to the ease of social engineering, it may not be. I, for one, will test common dates (birthdays, anniversaries, etc) in all forms first, when looking for a password. (All forms means backwards, forwards, short hand, long hand, etc). Most people use these as passwords since they are easy to remember. The next step when using "trial-and-error" method is names of those close to them (family, loved ones, pets, etc). You may be surprised how easy it is simply guess a password when you try. If you would like to use something easy to remember, try at least swapping something around, but not in a usual way. Like make it "Rctobeo" (swapped the O and R) or "7197" (instead of 1977)... something to that effect. I usually don't try those types of swaps until I use a brute force method. On a side note, while it's better then nothing, and adding a "1" to a name isn't a way to secure it either. =P I will try that 3rd. On Fri, 10 Sep 2004 14:23:17 -0400, Teo Gomez <tgomez () ubiquitelpcs com> wrote:Even enforcing complex passwords does not guarantee that passwords be 'strong.' For example, October20,1977 is my birthday, and is a strong password. Try and get users to use pass phrases instead of passwords. For example, My cat's hair is blue, is a complex pass phrase. Teo -----Original Message----- From: Andrew Shore [mailto:andrew.shore () holistecs com] Sent: Wednesday, September 08, 2004 4:37 AM To: Simon Zuckerbraun; security-basics () securityfocus com Subject: RE: Password Cracking Depending up on the servers strong passwords can be enforced. NT4 SP4 and Win2k AD support this as do most Linux distributions. That way you don't need to check the passwords. -----Original Message----- From: Simon Zuckerbraun [mailto:szucker () sst-pr-1 com] Sent: 05 September 2004 04:05 To: security-basics () securityfocus com Subject: RE: Password Cracking If I understand correctly, LC is capable of doing what you're asking. Simon -----Original Message----- From: Eoin Fleming [mailto:rtfm () o2 ie] Sent: Friday, August 27, 2004 4:44 PM To: security-basics () securityfocus com Subject: Password Cracking Bit of an unusual one - Lets imagine you are a security administrator at a company - strong passwords are enforced but you suspect that there may be exceptions and you want to raise management awareness of breaches of the password policy BUT you can't run cracking software as then you will know individuals passwords - which you don't want to know as this breaks acountability rather nicely. In short - is there software that can perform the function of LC and John without giving the admin the password but rather rate the password against against a set criteria?
--------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Password Cracking, (continued)
- RE: Password Cracking Sadler, Connie (Sep 10)
- RE: Password Cracking Michael Shirk (Sep 11)
- Re: Password Cracking Steve (Sep 13)
- Re: Password Cracking Miles Stevenson (Sep 18)
- Re: Password Cracking Steve (Sep 13)
- RE: Password Cracking Andrew Shore (Sep 13)
- RE: Password Cracking Jonathan Loh (Sep 15)
- Re: Password Cracking Dave Aronson (Sep 18)
- RE: Password Cracking Nick Owen (Sep 15)
- RE: Password Cracking William Baglivio (Sep 15)
- RE: Password Cracking easternerd (Sep 23)
- Re: Password Cracking GuidoZ (Sep 15)
- Re: Password Cracking David J. Bianco (Sep 16)
- RE: Password Cracking Jonathan Loh (Sep 15)
- RE: Password Cracking Bénoni MARTIN (Sep 16)
- RE: Password Cracking James McGee (Sep 16)
- Re: Password Cracking Steve (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 19)
- RE: Password Cracking Dave Aronson (Sep 22)