Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Passwords & Passphrases

From: Randy Marchany <marchany () CANDI2 CIRT VT EDU>
Date: Mon, 19 Nov 2007 15:18:11 -0500
ophcrack works on Windows 2000, XP, VISTA (with a special set of Rainbow
tables for it).   Check the tool out at ophcrack.sourceforge.net. Again, while
it requires physical access to the target, it does a pretty good job guessing
the password in th 10-16 length range in a reasonable amount of time. I
mentioned in my earlier post that 12 char passwords were obtained within 10
minutes. We've been guessing longer passwords in a slightly longer period of
time. All of the guessed passwords follow the consensus rules that EDUCAUSE
and other sites have posted. The one defense seems to be adding special chars
in the mix although it's only a matter of time before the Rainbow table for
that shows up.

The other point to remember is that while we may have strong password rules,
they are sometimes undercut by vendor products. Oracle, for example, converts
its passwords to uppercase and restricts the use of certain special
characters. I've been told the latest version of Oracle has fixed this but if
you're not at the latest version of Oracle, you have this problem. Google
"oracle password weakness" to get a white paper on the problem.

ATM cards.......

        -Randy Marchany
        VA Tech IT Security Office and Lab
Previous By Date Next
Previous By Thread Next

Current thread: