Bugtraq mailing list archives
Re: Not so much a bug as a warning of new brute force attack
From: probert () AZStarNet com (Paul D. Robertson)
Date: Sun, 9 Jun 1996 09:58:58 -0700
On Sun, 9 Jun 1996, Brian Tao wrote:
We did just that a few months ago after running through our /etc/master.passwd and cracking some 1800 accounts in total. All accounts were expired at once and a replacement /usr/bin/passwd linked with CrackLib was installed. The extra time needed to do a thorough check of a newly supplied password against a large dictionary and the Crack ruleset is negligible, but it decreases the guessability of new passwords to nearly zero.
Unless you have users who _always_ do xxxNNxx or some other scheme which they tend to do, in which case, the space for a brute force attack is significantly narrowed to make it worth-while, esp. if rlogin or some other unwrappered service that doesn't log attempts is available on the machine. Adding minimum number of digits, and non-repeats makes things better, but you still should provide users with good guidance when choosing passwords. I've seen admins who were proud of themselves for using letters and digits in their passwords, who had a different password on every machine, but always used three lower-case letters, two digits, and three lower-case letters. Knowing the server didn't allow repeats, that's no where near as secure from a brute force attack as some dictionary words.
Another good trick, if your OS supports it, is to use an alternate hash method and long passwords. Our servers run FreeBSD. It has the option of using either DES or MD5 encryption. The public servers use DES for compatibility, but internal machines have the default MD5 libs installed. I would suspect that your average hacker wouldn't know what to do if he found "$1$rEU5lGMq$x5g.f98lqkUfQ8rn89foQl" in the encrypted password field.
Yeah, but if it becomes popular, there's not much stopping one of them with a clue from adding an MD5/rsalib call right after the crypt() in crack, et al.
Long passwords are not only exponentially more difficult to guess than short ones, they can ironically be easier to remember. For example, "In London, April is a spring month." is a perfectly good password and not subject to truncation (FreeBSD's _PASSWORD_LEN is 128). Toss in some transformations, "InLndn:AprilIsAspringMonth", and you have something virtually unguessable yet you don't need to write it down anywhere.
Definately the way to go if you can't do one-time passwords. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probert () azstarnet com which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Strange changes - any ideas?, (continued)
- Strange changes - any ideas? Fred Cohen (Jun 08)
- Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
- Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
- Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
- Re: Strange changes - any ideas? Darren Reed (Jun 10)
- Vulnerability Database Christopher Klaus (Jun 10)
- Re: brute force Ze'ev Maor (Jun 04)
- Re: brute force simes () tcp co uk (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Bill Broadley (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 08)
- Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)
- Re: Not so much a bug as a warning of new brute force attack Albert Lunde (Jun 04)