Security Basics mailing list archives
RE: Password Cracking
From: "James McGee" <J.McGee () syn-tec com>
Date: Thu, 16 Sep 2004 23:27:50 +0100
But one thing to remember is that any decent password and account policy will have the user accounts locked out after 3/5/10 failed attempts, and your monitoring and logging system will pick it up, Won't it? -----Original Message----- From: tman () ollopa com [mailto:tman () ollopa com] Sent: 16 September 2004 04:57 To: xyberpix Cc: Fabio Miranda Hamburger; simont () pop co za; Security Basics[List] Subject: Re: Password Cracking I create two accounts today. Test1 with the password noted below ( k;!p-__f, ) and Test2 with the password 4U_'Tis_a_long_password. LC4 cracked Test1 in 4h17m39s. It has not yet cracked Test2. I suspect that it will take almost 3 weeks ( LC4 is saying it will take 19d20h... ). Past experience tells me that it will crack it. So, knowing that every password can be broken ( its just a matter of time ) I'm now an advocate of one time passwords ( like RSA SecurID ). I had been an advocate of PKI but having seen the the use of keyboard loggers to compromise an enterprise's PKI infrastructure, I'm now off that bandwagon. T
Hi Fabio, With enough time you can crack all passwords, regardless of what they are. I won't argue that in 24h, you probably wouldn't be able to crack something like k;!p-__f, but hey, I've added those three to my custom passwd lists. :-) Also, I make a general rule of generating custom passwds at least once
a
week to add to various lists, it just makes it easier. xyberpix On Wed, 2004-09-15 at 18:44, Fabio Miranda Hamburger wrote:To me I've always had great success with LC4 and John, it all
depends
what platform I'm on at the time though, and what dictionary lists
I
have loaded at the time as well, so far I haven't found a passwd
that
Ihaven't been able to crack, yet!You use easy to guess passwords based on letters and numbers. The dicctionary and GECOS generated passwords are weak. If you can crack
all
the passwords that host doesnt have a password policy. Have you cracked passwords like: k;!p-__f "d%g..H# ^ f!)I.. You can make the passwords > 8 digits so you cant really crack all
the
passwords. fabio.-- For Security and Open Source news: http://xyberpix.demon.co.uk
------------------------------------------------------------------------ --- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Password Cracking, (continued)
- Re: Password Cracking Miles Stevenson (Sep 18)
- RE: Password Cracking Andrew Shore (Sep 13)
- RE: Password Cracking Jonathan Loh (Sep 15)
- Re: Password Cracking Dave Aronson (Sep 18)
- RE: Password Cracking Nick Owen (Sep 15)
- RE: Password Cracking William Baglivio (Sep 15)
- RE: Password Cracking easternerd (Sep 23)
- Re: Password Cracking GuidoZ (Sep 15)
- Re: Password Cracking David J. Bianco (Sep 16)
- RE: Password Cracking Jonathan Loh (Sep 15)
- RE: Password Cracking BĂ©noni MARTIN (Sep 16)
- RE: Password Cracking James McGee (Sep 16)
- Re: Password Cracking Steve (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 19)
- RE: Password Cracking Dave Aronson (Sep 22)