RE: UNIX password auditing tool and the search for dictionaries too

["Michael Martinez" <mmartinez () tamsco com>]

> Before you go too far with strong passwords, remember, they do more
harm
> than good in most cases. You trust your money to a four digit pin so
> think about strong authentication, not strong passwords. Two factor can
> be done with a variety of inexpensive technologies.

Are you kidding me, you are under the impression that a 4 digit pin is
secure?  I for one have no illusions about how insecure a 4 digit pin
actually is!  Whatever security is provided by said 4 digit pin is more
related to that fact that there are not freely available pin cracking
tools for ATM machines...as there are password cracking tools.

> Strong passwords are the number one source of denial of service in most
> environments due to the frequent false reject problem that occurs when
> users can't keep up with frequent changes and strong password. They're
> also one of the highest costs for security since it's the number one
> task for help desks and sys admins to support.

As a help desk supervisor, I assure you that the related cost of time
and money supporting the reset of passwords is minimal and therefore a
small price to pay for increased security.

...

> In terms of dictionaries, I think the aggressive approach would include
> concatenations and number and special character injections into the
> words. In more secure environments, were users are battered with
monthly
> password changes they usually inject the numeric value for the month
> somewhere in a common word. But the point is, it's not too difficult to
> build a really big database of words with special character and numeric
> injections, run them through the hash algorithm and have a table to
> check for matches.

If someone were in an environment where they must change their password
monthly...they are probably using the wrong technology.  Perhaps a
combination of different layers would be a better solution to monthly
changes. 

...

-----Original Message-----
From: Shane Lahey [mailto:s.lahey () roadrunner nf net]
Sent: Monday, August 04, 2003 7:38 PM
To: james.easterling () ed gov; security-basics () securityfocus com
Subject: RE: UNIX password auditing tool

Alec Muffett Crack :: http://www.crypticide.org/users/alecm/

> -----Original Message-----
> From: james.easterling () ed gov [mailto:james.easterling () ed gov]
> Sent: Monday, August 04, 2003 4:39 PM
> To: security-basics () securityfocus com
> Subject: UNIX password auditing tool
>
>
>
> I have tried searches for UNIX password cracking tools and I have come
up
> with little value.  Can someone direct me to passwd auditing tools
> besides "John The Ripper" that are free or cost?
>
> Regards,
> James
------------------------------------------------------------------------
--
> -
------------------------------------------------------------------------
--
> --



------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------