Bugtraq mailing list archives
Selecting Good Passwords
From: mdr () vodka sse att com (mdr () vodka sse att com)
Date: Tue, 4 Jun 1996 08:34:59 -0400
Brett wrote:
nifty 'dictfile' like I did a few years back. All it takes is some simple brain power and a LOT of disk space, a quick file that prints all variations of 5-8 charater length combinations to a file. I stopped mine at 238megs and it was still going strong.
If your dictionary can be generated as such, then why store it to disk? Just generate/test passwords one by one. But generally that's not why dictionary attacks work! They work because people often use common words for passords, unless the software prevents them. That's why some password programs require users to choose numerics and punctuation characters; it prevents the use of common words and makes guessing the password harder. Of course some people often use mnemonics such as: 0: 0 1: l 3: e 5: s ... which almost totally defeats the purpose of requiring numbers in the first place. We use a password generator that produces pronounceable gibberish. Actual system output:
$ passwd UX:passwd: INFO: Changing password for mdr Old password: Automatic generation of password enabled. Please wait. xe5_na 7qev6zum 9risnig6 quxaxe hudefwog .qi8yu 9vem2ced zawvengat _wiwu+ towsuweh jishu63 6zinip_ cid01re fuk6zo1 04gokzo 13zowa -fejum5 jek5vox2 ziz.0ja _2nebi ceh69vej 0lera7 jegnal98 xiv2jaw0 noyep+5 Select new password from passwords provided:
From the above list Olera7 jishu63 6zinip_ and zawvengat are all
relatively easy to remember and will not fall to dictionary attacks. Of course sometimes the password generator resorts to profanity (sheerly by combinitorics!) but, that only indicates its lack of inteligence.:) Of course, reusable passwords really aren't worth anything if they cross the network in plain text. In fact they're worth is actually less than zero, because someone may actually be trusting the password to protect something that it is no longer capable of protecting. Mark Riggins Secure Systems Engineering AT&T Bell Labs PS: my real passwd was _not_ chosen from the above list.
Current thread:
- pop3 daemon with syslog logging, (continued)
- pop3 daemon with syslog logging Gunnar Ingvi Thorisson (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Alan Brown (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brian Davidson (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Russell Street (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Joe Block (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Thayne Forbes (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Steve Chew (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Shaun Lowry (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Valdis.Kletnieks () vt edu (Jun 04)
- rexec brute bastard (Jun 04)
- Selecting Good Passwords mdr () vodka sse att com (Jun 04)
- brute force *Hobbit* (Jun 04)
- Re: brute force Christopher Klaus (Jun 04)
- Re: brute force Tom Fitzgerald (Jun 05)
- Re: brute force Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
- help TaeJin Hong (Jun 07)
- HP-UX B.10.01 vulnerability Aleph One (Jun 07)
- Strange changes - any ideas? Fred Cohen (Jun 08)
- Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)