Security Basics mailing list archives
RE: Password Cracking
From: "Kenton Smith" <ksmith () chartwelltechnology com>
Date: Fri, 17 Sep 2004 16:02:30 -0600
No, these password cracking utils aren't trying to logon, they're running against your Windows password DB or your Unix password/shadow files. Therefore, account policies have nothing to do with it. Also, anyone trying to crack passwords illegally (i.e. hacking), aren't going to use your machine. They're going to grab the necessary files and use their own machine on their own time. There are a couple of things that have confused me about this thread and so I decided to jump in. What is the purpose of the password cracking? Are you just trying to audit for policy compliance or are you trying to get a password for a user who has forgotten their password? If you are auditing for compliance, you don't need to crack everyone's password. You only need to crack the ones that aren't in policy compliance. This can usually be done fairly quickly and easily. If you are trying to crack a password because the user has forgotten theirs, you may be going for a while if the password is a good one. If you're just trying to crack passwords for the heck of it, you'll always be able to crack it eventually, all you need is time and a powerful computer. No password is uncrackable, that's what brute force cracking is all about, it will try every available combination until it is successful. That might be 2 hours, 2 months, or 2 years but it'll crack it eventually. Kenton -----Original Message----- From: James McGee [mailto:J.McGee () syn-tec com] Sent: Thursday, September 16, 2004 4:28 PM To: tman () ollopa com; xyberpix Cc: Fabio Miranda Hamburger; simont () pop co za; Security Basics[List] Subject: RE: Password Cracking But one thing to remember is that any decent password and account policy will have the user accounts locked out after 3/5/10 failed attempts, and your monitoring and logging system will pick it up, Won't it? --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Password Cracking, (continued)
- RE: Password Cracking Jonathan Loh (Sep 15)
- Re: Password Cracking Dave Aronson (Sep 18)
- RE: Password Cracking Nick Owen (Sep 15)
- RE: Password Cracking William Baglivio (Sep 15)
- RE: Password Cracking easternerd (Sep 23)
- Re: Password Cracking GuidoZ (Sep 15)
- Re: Password Cracking David J. Bianco (Sep 16)
- RE: Password Cracking Jonathan Loh (Sep 15)
- RE: Password Cracking BĂ©noni MARTIN (Sep 16)
- RE: Password Cracking James McGee (Sep 16)
- Re: Password Cracking Steve (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 19)
- RE: Password Cracking Dave Aronson (Sep 22)