Firewall Wizards mailing list archives
Re: "Proactive" Password Checking
From: Joseph S D Yao <jsdy () cospo osis gov>
Date: Tue, 16 Nov 1999 11:52:42 -0500
On Fri, Nov 12, 1999 at 09:42:07AM -0600, Moore, James wrote: ...
I'm not sure I fully understand Alan's point wrt L0phtcrack etc., but I don't believe password crackers obviate the utility of a tool such as passfilt.dll.
...
-----Original Message----- From: Alan Ramsbottom [SMTP:ACR () als co uk] Sent: Tuesday, November 09, 1999 12:44 PM
...
Bear in mind that you can't afford to spend the 5 (or 50 or 500 or..) mins that it might take Crack, John the Ripper, L0phtcrack et al to find a password. If anyone's worried enough to write custom password filters then they should probably run offline password crackers on a regular basis.
I believe his point is that the cracker can set his engine and motion and go off, and come back in a couple of days for his results. But when your user says, "Computer, I would like to change my password, please", or uses one of those quaint mouse thingies to press an icon, or a keyboard to enter a command line, he, she, or it usually would prefer to have a response that second instead of in a couple of days. Of course, the tasks are radically different, too - the cracker needs to go from an unknown encrypted string to its plaintext; while the user is entering the plaintext, and the computer at that point just has to be able to advise the user whether or not that would make a good password. So better search/recognition heuristics for easily-found dictionary words would help the latter task. If one is concerned that they do not suffice, one may go back later and try to run more brutal, time-taking attacks against the passwords chosen. -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO/OSIS Computer Support EMT-B ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Re: "Proactive" Password Checking, (continued)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Eric Budke (Nov 14)
- Message not available
- Re: "Proactive" Password Checking Eric Budke (Nov 17)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Rick Smith (Nov 14)
- RE: "Proactive" Password Checking Andreas Gunnarsson (Nov 14)
- Re: "Proactive" Password Checking Dorian Moore (Nov 14)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- Re: "Proactive" Password Checking Aleph One (Nov 18)