RE: "Proactive" Password Checking

["Moore, James" <James.Moore () MSFC NASA GOV>]

I'm not sure that a Markov model could ever be particularly effective in
this role, but I have been wondering for a while if a neural network might
be able to significantly improve on brute force dictionary attacks. The
neural network would be initially "trained" by feeding it vectors consisting
of 1) user attributes that are more or less easily obtained (e.g. marital
status, job title, email address, company name, job function, nationality,
etc.), and 2) some passwords that the user has previously used. After
training, the desired output of the neural network would be list of
passwords that are "most likely" based on a particular set of user
attributes; i.e. a dictionary that is customized for say, female system
administrators with Irish surnames.

Seems to me that this same class of technology (neural nets, fuzzy logic &
genetic algorithms) would also find some applications in network security,
but I've not heard of any. Anyone else???

Jim Moore
256.461.4381

----------- PGP PUBLIC KEY FINGERPRINT ------------
1D9C 3AC3 34E6 EEDF 22B9  7886 7797 6908 048F 049B
---------------------------------------------------


> -----Original Message-----
> From: Rick Smith [SMTP:rick_smith () securecomputing com]
> Sent: Thursday, November 11, 1999 4:25 PM
> To:   Eric Toll; jsdy () cospo osis gov
> Cc:   kurtbuff () lightmail com; owner-firewall-wizards () lists nfr net
> Subject:      Re: "Proactive" Password Checking
>
> This thread got me thinking about something I haven't seen discussed in
> quite a while (probably because I haven't looked in the right places, but
> never mind).
>
> Several years ago I read a paper that described a password checking
> procedure based on a Markov model of common English words and phrases.
> Perhaps it was simply digram statistics; I forget the details. But the
> basic idea was to use the Markov model to estimate the likelihood that a
> given password was a word, and thus potentially vulnerable to a dictionary
> attack.
>
> Has anyone heard of attempts to turn this around, and use the Markov model
> to generate candidate passwords for a dictionary attack? I suppose I'm
> looking for an algorithm that might generate passwords containing shorter
> words concatenated together before it generates longer but less common
> words.
>
> This would essentially be the "killer" dictionary attack, since it
> wouldn't
> even need a precompiled dictionary, other than the model statistics.
>
> Anyone remember a reference to any of this?
>
>
> Rick.
> smith () securecomputing com
> "Internet Cryptography" at http://www.visi.com/crypto/