Educause Security Discussion mailing list archives
Re: Passwords & Passphrases
From: Randy Marchany <marchany () CANDI2 CIRT VT EDU>
Date: Mon, 19 Nov 2007 15:18:11 -0500
ophcrack works on Windows 2000, XP, VISTA (with a special set of Rainbow tables for it). Check the tool out at ophcrack.sourceforge.net. Again, while it requires physical access to the target, it does a pretty good job guessing the password in th 10-16 length range in a reasonable amount of time. I mentioned in my earlier post that 12 char passwords were obtained within 10 minutes. We've been guessing longer passwords in a slightly longer period of time. All of the guessed passwords follow the consensus rules that EDUCAUSE and other sites have posted. The one defense seems to be adding special chars in the mix although it's only a matter of time before the Rainbow table for that shows up. The other point to remember is that while we may have strong password rules, they are sometimes undercut by vendor products. Oracle, for example, converts its passwords to uppercase and restricts the use of certain special characters. I've been told the latest version of Oracle has fixed this but if you're not at the latest version of Oracle, you have this problem. Google "oracle password weakness" to get a white paper on the problem. ATM cards....... -Randy Marchany VA Tech IT Security Office and Lab
Current thread:
- Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Steve Worona (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Bob Bayn (Nov 19)
- Re: Passwords & Passphrases Julian J Thompson (jthmpsn2) (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Sweeny, Jonny (Nov 19)
- Re: Passwords & Passphrases Shane Bishop (Nov 19)
- Re: Passwords & Passphrases Martin Manjak (Nov 19)
- Re: Passwords & Passphrases Gary Flynn (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Randy Marchany (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Roger Safian (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Steven Alexander (Nov 19)
- Re: Passwords & Passphrases Alex (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Harold Winshel (Nov 19)
- Re: Passwords & Passphrases Peters, Kevin (Nov 19)
- Re: Passwords & Passphrases Gene Spafford (Nov 19)
(Thread continues...)