Penetration Testing mailing list archives
RE: Education End Users about Passwords - Was - RE: john the ripper
From: "Micheal Thompson" <MThompson () brinkster com>
Date: Tue, 9 Dec 2003 12:19:49 -0500
End User education is the greatest defense. People are often the weakest link. One step further is the educations of the social and physical aspects of security. Case and point I was performing a pen-test for a financial institution. I walked in and ask to see the manager. I told the manager that I had to open an account for a business that I was president of. I had the bank give myself bogus papers and presented those papers to the manager. After about five minutes of building a rapport I spilt my water that I got from the waiting room on here blouse. She left the room and left me in there. She did not even lock here machine. I just slipped a floppy into the A: and load the DISK that had some goodies on it. The point is Physical security is just as important as passwords. As you guys know most machines can be raped if you have physical access to them. Sorry for going off thread just want to bring this up. -----Original Message----- From: Thompson, Jimi [mailto:JimiT () mail cox smu edu] Sent: Monday, December 08, 2003 6:05 PM To: pen-test () securityfocus com Subject: Education End Users about Passwords - Was - RE: john the ripper All, My personal experience is that I would rather have a user with a relative week (6 digit) password that isn't susceptible to a simple dictionary attack AND that doesn't have it written on a sticky note AND knows not to give it out over the phone. User education is far more important than the length of the password. The most important thing is explaining to users how they can generate their own "hard" passwords. The algorithm that I teach them is this: 1. Pick a sentence that has meaning for you and that you will remember. i.e. I work at cox today. 2. All consonants (or all vowels) become UPPERCASE characters. 3. All vowels (or all consonants as it is the opposite of rule 2) become lower case characters. 4. Words like to and for become numbers. 5. Words like at and "and" become symbols (@ and &) 6. Add some character to the end like ! or # now my password is iW@C2day! Once they get this simple thing down, getting them to choose "strong" passwords becomes infinitely easier, because they now have a mnemonic device to recall the password - the primary end user complaint about using "strong" passwords. If they can remember it, they are also a lot less likely to use the nefarious sticky note. Then all you have to worry about is making sure that they know not to give it out over the phone, which frankly, is the easiest method of "cracking" a password. 2 cents, Jimi -----Original Message----- From: OBrien, Brennan [mailto:BOBrien () columbia com] Sent: Monday, December 08, 2003 1:38 PM To: falcon () secureconsulting net; pen-test () securityfocus com Subject: RE: john the ripper Okay, I hear what you're saying about the amount of time being used and all... but.. If your users are like the ones I've seen, that "reasonably strong" password (such as &Y6N8gg0 -- presumably strong) is just going to get written down on a sticky tab and put on the users monitor or under their keyboard. The point is, while you've done a great job creating a strong keyspace which is difficult to break, I may open up a bigger problem. The goal is to get through the proverbial wall. Whether I do that by breaking through the bricks or scaling it or just going around, it doesn't really matter to me. If I make the wall thicker, that just moves the problem -- I'm still interested in getting to the other side, and I know I won't be able break through it, so off I go to find a different solution... Just my thoughts. -----Original Message----- From: Benjamin Tomhave [mailto:falcon () secureconsulting net] Sent: Monday, December 08, 2003 10:58 AM To: pen-test () securityfocus com Subject: RE: john the ripper Scary numbers...so, semi-drifting question: how long is an "acceptable" length of time to run a cracker before pronouncing that uncracked passwords are "reasonably strong and well-chosen"?
-----Original Message----- From: Mike [mailto:myname17 () bellsouth net] Sent: Monday, December 08, 2003 3:45 AM To: Giacomo; pen-test () securityfocus com Subject: Re: john the ripper I recently did a little research on this, and if the password was well chosen you will not find the password. An 8 character password, based on a 72 character set (26 lower case letters, 26 uppercase letters, 10 digits, and 10 special characters) results in 72^8 or 7.2x10^14 possible passwords. My reference PC was only able to crack at 1500c/s. Doing the math reveals that 150,000 years would be required
to
crack all combinations, or 75,000 years on average. For a 12
character
password the result was 2,000,000,000,000 years. If my math is wrong, please break it to me gently. Mike On Tuesday 02 December 2003 10:52 am, Giacomo wrote:Hi all I am tryning to crack cisco md5 password. Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
john
continue to crack at 3800c/s (it started at 4500c/s). I am asking myself and all of you what is the best system (hardware)
to
crack md5 password. I am thinking that the best way Is the powerfull (mhz) i386 in
commerce.
I've tried OpenMosix with 4 p500 nodes with john and cisilia, but without lucky results. The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s which is you reference system to use john on md5 password ? Giacomo------------------------------------------------------------------ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------- ------------------------------------------------------------------ ----------
------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Education End Users about Passwords - Was - RE: john the ripper Thompson, Jimi (Dec 09)
- <Possible follow-ups>
- RE: Education End Users about Passwords - Was - RE: john the ripper Micheal Thompson (Dec 09)
- Re: Education End Users about Passwords - Was - RE: john the ripper Byron Sonne (Dec 10)