Firewall Wizards mailing list archives
RE: "Proactive" Password Checking
From: "Moore, James" <James.Moore () MSFC NASA GOV>
Date: Mon, 15 Nov 1999 10:56:27 -0600
I'm not sure that a Markov model could ever be particularly effective in this role, but I have been wondering for a while if a neural network might be able to significantly improve on brute force dictionary attacks. The neural network would be initially "trained" by feeding it vectors consisting of 1) user attributes that are more or less easily obtained (e.g. marital status, job title, email address, company name, job function, nationality, etc.), and 2) some passwords that the user has previously used. After training, the desired output of the neural network would be list of passwords that are "most likely" based on a particular set of user attributes; i.e. a dictionary that is customized for say, female system administrators with Irish surnames. Seems to me that this same class of technology (neural nets, fuzzy logic & genetic algorithms) would also find some applications in network security, but I've not heard of any. Anyone else??? Jim Moore 256.461.4381 ----------- PGP PUBLIC KEY FINGERPRINT ------------ 1D9C 3AC3 34E6 EEDF 22B9 7886 7797 6908 048F 049B ---------------------------------------------------
-----Original Message----- From: Rick Smith [SMTP:rick_smith () securecomputing com] Sent: Thursday, November 11, 1999 4:25 PM To: Eric Toll; jsdy () cospo osis gov Cc: kurtbuff () lightmail com; owner-firewall-wizards () lists nfr net Subject: Re: "Proactive" Password Checking This thread got me thinking about something I haven't seen discussed in quite a while (probably because I haven't looked in the right places, but never mind). Several years ago I read a paper that described a password checking procedure based on a Markov model of common English words and phrases. Perhaps it was simply digram statistics; I forget the details. But the basic idea was to use the Markov model to estimate the likelihood that a given password was a word, and thus potentially vulnerable to a dictionary attack. Has anyone heard of attempts to turn this around, and use the Markov model to generate candidate passwords for a dictionary attack? I suppose I'm looking for an algorithm that might generate passwords containing shorter words concatenated together before it generates longer but less common words. This would essentially be the "killer" dictionary attack, since it wouldn't even need a precompiled dictionary, other than the model statistics. Anyone remember a reference to any of this? Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/
Current thread:
- RE: "Proactive" Password Checking, (continued)
- RE: "Proactive" Password Checking Paul McNabb (Nov 10)
- RE: "Proactive" Password Checking Andreas Gunnarsson (Nov 14)
- Re: "Proactive" Password Checking Dorian Moore (Nov 14)
- Re: "Proactive" Password Checking Zzzil (Nov 14)
- RE: "Proactive" Password Checking bhe (Nov 14)
- RE: "Proactive" Password Checking Moore, James (Nov 14)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Bill_Royds (Nov 14)
- RE: "Proactive" Password Checking Eric Toll (Nov 15)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 15)
- Re: "Proactive" Password Checking Andreas Gunnarsson (Nov 15)
- RE: "Proactive" Password Checking sean . kelly (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 15)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Russ (Nov 17)
- Re: "Proactive" Password Checking Aleph One (Nov 18)
- RE: "Proactive" Password Checking Vin McLellan (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Matt Carothers (Nov 21)
- Re: "Proactive" Password Checking Barney Wolff (Nov 17)
(Thread continues...)
- RE: "Proactive" Password Checking Paul McNabb (Nov 10)