Penetration Testing mailing list archives
RE: policy-based password cracker
From: "Password Crackers, Inc." <pwcrack () pwcrack com>
Date: Fri, 2 Dec 2005 11:53:32 -0500
Depending upon the specific policies, you may not save a significant amount of time by limiting the brute-force attack. For instance, consider a policy that required at least one upper, one lower and one number in all passwords. Let's first assume that the possible character set for passwords is upper/lower/number. For four character passwords, 19% of the possible password checks can be eliminated due to the policy. For five character passwords, only 9% would be eliminated and the percentage would continue to drop as the length increases. If the possible character set included upper/lower/number/special characters, the policy would only eliminate 3% of the possible 4 character passwords and 1% of the possible 5 character passwords. Since the vast majority of the time for a brute-force attack is spent on the largest length checked and since the number of tests that can be eliminated due to the policy declines with length, I suspect that limiting the brute-force attack due to policy might only be worthwhile for some highly specific policies. Also, most brute-force attacks are very fast. One would need to test the speed of eliminating a password vs. the speed of testing a password. If you needed code to determine whether a password passed the policy, the overhead of this code on all passwords might eliminate any savings vs. just testing all of the passwords. This would have to be benchmarked on a case-by-case and policy-by-policy basis. Obviously, if the password testing is against a remote server/resource and the testing is slow, then the savings of not testing even a small number of passwords would more than make up for the overhead in the code. However, brute-force attacks against remote and slow servers is not very practical to begin with. Bob Weiss Password Crackers, Inc. -----Original Message----- From: Chris Costantino [mailto:clckct () yahoo com] Sent: Thursday, December 01, 2005 12:50 PM To: pen-test () securityfocus com Subject: policy-based password cracker Hi all, I am looking for a brute-force password cracker that can be configured based on password policies. For example, I am trying to audit a system that I know the security policy on (min/max pw length, complexity rules, etc) What I want is to only brute-force passwords that fit that policy. Obviously, min and max is not the issue, but I can not seem to find anything that will only test passwords that meet complexity requirements (lowercase alpha, uppercase alpha, number). Something that generates this into a rainbow table would be even better..... Anyone aware of such a tool? Thanks in advance, Chris __________________________________________ Yahoo! DSL - Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- policy-based password cracker Chris Costantino (Dec 01)
- Re: policy-based password cracker Rembrandt (Dec 01)
- Re: policy-based password cracker thomas springer (Dec 02)
- Re: policy-based password cracker Thierry Zoller (Dec 02)
- Re: policy-based password cracker David Cravshaw (Dec 03)
- RE: policy-based password cracker Password Crackers, Inc. (Dec 03)
- <Possible follow-ups>
- RE: policy-based password cracker Miguel Dilaj (Dec 03)
- RE: policy-based password cracker Shenk, Jerry A (Dec 04)