RE: policy-based password cracker

["Password Crackers, Inc." <pwcrack () pwcrack com>]

Depending upon the specific policies, you may not save a significant amount
of time by limiting the brute-force attack.  For instance, consider a policy
that required at least one upper, one lower and one number in all passwords.
Let's first assume that the possible character set for passwords is
upper/lower/number.  For four character passwords, 19% of the possible
password checks can be eliminated due to the policy.  For five character
passwords, only 9% would be eliminated and the percentage would continue to
drop as the length increases.  If the possible character set included
upper/lower/number/special characters, the policy would only eliminate 3% of
the possible 4 character passwords and 1% of the possible 5 character
passwords.  Since the vast majority of the time for a brute-force attack is
spent on the largest length checked and since the number of tests that can
be eliminated due to the policy declines with length, I suspect that
limiting the brute-force attack due to policy might only be worthwhile for
some highly specific policies.

Also, most brute-force attacks are very fast.  One would need to test the
speed of eliminating a password vs. the speed of testing a password.  If you
needed code to determine whether a password passed the policy, the overhead
of this code on all passwords might eliminate any savings vs. just testing
all of the passwords.  This would have to be benchmarked on a case-by-case
and policy-by-policy basis.  Obviously, if the password testing is against a
remote server/resource and the testing is slow, then the savings of not
testing even a small number of passwords would more than make up for the
overhead in the code.  However, brute-force attacks against remote and slow
servers is not very practical to begin with.

Bob Weiss
Password Crackers, Inc.

-----Original Message-----
From: Chris Costantino [mailto:clckct () yahoo com] 
Sent: Thursday, December 01, 2005 12:50 PM
To: pen-test () securityfocus com
Subject: policy-based password cracker

Hi all,

I am looking for a brute-force password cracker that can be configured based
on password policies.  For example, I am trying to audit a system that I
know the security policy on (min/max pw length, complexity rules, etc)  What
I want is to only brute-force passwords that fit that policy.  Obviously,
min and max is not the issue, but I can not seem to find anything that will
only test passwords that meet complexity requirements (lowercase alpha,
uppercase alpha, number).  Something that generates this into a rainbow
table would be even better.....

Anyone aware of such a tool?

Thanks in advance,
Chris


                
__________________________________________
Yahoo! DSL - Something to write home about.
Just $16.99/mo. or less.
dsl.yahoo.com


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------