Firewall Wizards mailing list archives
Re: Passwords (was: Stanford break in)
From: "Paul D. Robertson" <paul () compuwar net>
Date: Fri, 23 Apr 2004 16:44:44 -0400 (EDT)
On Fri, 23 Apr 2004, Dana Nowell wrote:
Bottom line: do NOT, repeat, do NOT put ANY confidence in 'salts' saving your A**. The best defense is to not be in anyone's dictionary in the first place. Pick a password carefully and change it regularly.
Filling in the dictionary isn't that hard, and adding to it to generate the "empty space" isn't all that bad for smaller lengths... http://security.sdsc.edu/publications/teracrack.pdf (Where the heck was Abe when I baited him in this thread?) One of the "interesting" things in the Teracrack paper is that high-bit characters collide. They found one "true" collision between $C4U1N3R and SEEKETH- now I dunno about you, but I'd have put $C4U1N3R in the "not in a dictionary" category. Now, someone with mad math skills can take the dictionaries, and the possible 7-bit passwords and figure out how much keyspace that leaves- since "strong passwords enforced by software" will negate having to search that space- if we know how long the password is (attacker on site) then it might just not matter that you chose a non-dictionary entry. Bottom line: Reusable passwords still suck. :) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Passwords (was: Stanford break in) Dana Nowell (Apr 23)
- Re: Passwords (was: Stanford break in) Paul D. Robertson (Apr 23)
- Re: Passwords (was: Stanford break in) Dana Nowell (Apr 27)
- Re: Passwords (was: Stanford break in) Adam Shostack (Apr 23)
- Re: Passwords (was: Stanford break in) Paul D. Robertson (Apr 23)