Re: Passwords (was: Stanford break in)

["Paul D. Robertson" <paul () compuwar net>]

On Fri, 23 Apr 2004, Dana Nowell wrote:

> Bottom line: do NOT, repeat, do NOT put ANY confidence in 'salts' saving
> your A**.  The best defense is to not be in anyone's dictionary in the
> first place.  Pick a password carefully and change it regularly.

Filling in the dictionary isn't that hard, and adding to it to generate
the "empty space" isn't all that bad for smaller lengths...

http://security.sdsc.edu/publications/teracrack.pdf
(Where the heck was Abe when I baited him in this thread?)

One of the "interesting" things in the Teracrack paper is that high-bit
characters collide.  They found one "true" collision between $C4U1N3R and
SEEKETH- now I dunno about you, but I'd have put $C4U1N3R in the "not in a
dictionary" category.

Now, someone with mad math skills can take the dictionaries, and the
possible 7-bit passwords and figure out how much keyspace that leaves-
since "strong passwords enforced by software" will negate having to search
that space- if we know how long the password is (attacker on site) then it
might just not matter that you chose a non-dictionary entry.

Bottom line: Reusable passwords still suck. :)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards