Security Basics mailing list archives
Re: ADS Password Storage Protection
From: "Stephen John Smoogen" <smooge () gmail com>
Date: Wed, 19 Jul 2006 10:41:16 -0600
On 7/18/06, Depp, Dennis M. <deppdm () ornl gov> wrote:
Do you audit for attempts using brute force to guess passwords? What you are describing is a brute force password attempt using well known pass phrases. A better pass phase might be something personal like. "I have three children and a beautiful wife who stands 5' 7"." This will be difficult to guess and will not be found in Bartlett's Book of Quotations.
in the end, it comes down to what you are trying to protect and how much you are going to protect it. Having done a lot of brute-force password checking with phrases and such.. it was pretty quick (I think about 48 hours) to find "The Cat in the Hat is Back" through a long list of various phrases and words. However all it took was to misspell Hat as Hta and it was functionally longer than I wanted to wait for the secondary dictionary attacks (misspellings, changing e->3, etc) could find it. I would say that having a phrase+complexity test is a good advice. The complexity test can be the addition of numbers, special characters etc that are not at the beginning and end of the phrase and there are several 'modules' prewritten for many password programs to test for this. However, my main advice is for a site that is looking for better security to use a one time passwords, lockouts, and end-to-end authentication. A one time password system usually requires some sort of 'two-factor' device (secureid, cryptocard, etc) and helps make it that the password is not guessable. -- Stephen J Smoogen. CSIRT/Linux System Administrator --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 14)
- RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)
- RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
- Re: ADS Password Storage Protection Neil (Jul 17)
- Re: ADS Password Storage Protection Eoin Miller (Jul 17)
- Re: RE: ADS Password Storage Protection winshel (Jul 17)
- Re: ADS Password Storage Protection ab (Jul 17)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 18)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 14)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)