Bugtraq mailing list archives
Re: Not so much a bug as a warning of new brute force attack
From: taob () io org (Brian Tao)
Date: Sun, 9 Jun 1996 01:05:38 -0400
On Mon, 3 Jun 1996, Aaron Merifield wrote:
Why not just change the system so that it wont accept a dictionary name as a valid password. Six to eight characters and at least 1 or 2 numbers would make it a little more difficult too.
We did just that a few months ago after running through our /etc/master.passwd and cracking some 1800 accounts in total. All accounts were expired at once and a replacement /usr/bin/passwd linked with CrackLib was installed. The extra time needed to do a thorough check of a newly supplied password against a large dictionary and the Crack ruleset is negligible, but it decreases the guessability of new passwords to nearly zero. Another good trick, if your OS supports it, is to use an alternate hash method and long passwords. Our servers run FreeBSD. It has the option of using either DES or MD5 encryption. The public servers use DES for compatibility, but internal machines have the default MD5 libs installed. I would suspect that your average hacker wouldn't know what to do if he found "$1$rEU5lGMq$x5g.f98lqkUfQ8rn89foQl" in the encrypted password field. Long passwords are not only exponentially more difficult to guess than short ones, they can ironically be easier to remember. For example, "In London, April is a spring month." is a perfectly good password and not subject to truncation (FreeBSD's _PASSWORD_LEN is 128). Toss in some transformations, "InLndn:AprilIsAspringMonth", and you have something virtually unguessable yet you don't need to write it down anywhere. -- Brian Tao (BT300, taob () io org, taob () ican net) Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"
Current thread:
- HP-UX B.10.01 vulnerability, (continued)
- HP-UX B.10.01 vulnerability Aleph One (Jun 07)
- Strange changes - any ideas? Fred Cohen (Jun 08)
- Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
- Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
- Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
- Re: Strange changes - any ideas? Darren Reed (Jun 10)
- Vulnerability Database Christopher Klaus (Jun 10)
- Re: brute force Ze'ev Maor (Jun 04)
- Re: brute force simes () tcp co uk (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Bill Broadley (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 08)
- Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)
- Re: Not so much a bug as a warning of new brute force attack Albert Lunde (Jun 04)