Security Basics mailing list archives
RE: UNIX password auditing tool and the search for dictionaries too
From: "Michael Martinez" <mmartinez () tamsco com>
Date: Thu, 7 Aug 2003 14:48:52 -0600
Before you go too far with strong passwords, remember, they do more
harm
than good in most cases. You trust your money to a four digit pin so think about strong authentication, not strong passwords. Two factor can be done with a variety of inexpensive technologies.
Are you kidding me, you are under the impression that a 4 digit pin is secure? I for one have no illusions about how insecure a 4 digit pin actually is! Whatever security is provided by said 4 digit pin is more related to that fact that there are not freely available pin cracking tools for ATM machines...as there are password cracking tools.
Strong passwords are the number one source of denial of service in most environments due to the frequent false reject problem that occurs when users can't keep up with frequent changes and strong password. They're also one of the highest costs for security since it's the number one task for help desks and sys admins to support.
As a help desk supervisor, I assure you that the related cost of time and money supporting the reset of passwords is minimal and therefore a small price to pay for increased security. ...
In terms of dictionaries, I think the aggressive approach would include concatenations and number and special character injections into the words. In more secure environments, were users are battered with
monthly
password changes they usually inject the numeric value for the month somewhere in a common word. But the point is, it's not too difficult to build a really big database of words with special character and numeric injections, run them through the hash algorithm and have a table to check for matches.
If someone were in an environment where they must change their password monthly...they are probably using the wrong technology. Perhaps a combination of different layers would be a better solution to monthly changes. ... -----Original Message----- From: Shane Lahey [mailto:s.lahey () roadrunner nf net] Sent: Monday, August 04, 2003 7:38 PM To: james.easterling () ed gov; security-basics () securityfocus com Subject: RE: UNIX password auditing tool Alec Muffett Crack :: http://www.crypticide.org/users/alecm/
-----Original Message----- From: james.easterling () ed gov [mailto:james.easterling () ed gov] Sent: Monday, August 04, 2003 4:39 PM To: security-basics () securityfocus com Subject: UNIX password auditing tool I have tried searches for UNIX password cracking tools and I have come
up
with little value. Can someone direct me to passwd auditing tools besides "John The Ripper" that are free or cost? Regards, James
------------------------------------------------------------------------ --
-
------------------------------------------------------------------------ --
--
------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: UNIX password auditing tool and the search for dictionaries too kenkousky (Aug 07)
- RE: UNIX password auditing tool and the search for dictionaries too Michael Martinez (Aug 07)
- Re: UNIX password auditing tool and the search for dictionaries too Adam Newhard (Aug 08)
- more on strong passwords - a reply kenkousky (Aug 08)
- RE: UNIX password auditing tool and the search for dictionaries too Nick Owen (Aug 13)
- Re: UNIX password auditing tool and the search for dictionaries too Adam Newhard (Aug 08)
- <Possible follow-ups>
- RE: UNIX password auditing tool and the search for dictionaries too Tomas Wolf (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Tim Heagarty (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Mike Dresser (Aug 11)
- RE: UNIX password auditing tool and the search for dictionaries too Michael Martinez (Aug 07)