RE: UNIX password auditing tool and the search for dictionaries too

["Nick Owen" <nowen () wikidsystems com>]

It's interesting that you think the cost of resets are minimal.  Are yours
automated in some way?    Almost all the companies that I talk to say it is
30-40% of all calls.  Only one company knew what the cost per call was, but
all agreed with the Gartner estimate of $15-25 per.  Gartner will also tell
you that on average employees call 4-5 times per year, making passwords cost
$60-100 per user per year.  While that may be worth the extra security,
there are cheaper solutions.

Here is a recent article about passwords:

http://www.scmagazine.com/scmagazine/2003_06/cover/index.html

Another issue that many companies have is remote users locked out after
hours or on the weekends because they don't have a 24x7 helpdesk.  Few
companies, though want to implement the "20 questions" password reset
automation software, since most of them are big honking implementations.

I think the point re: 4 digit PINs is suggesting strong authentication.
However, to equate an ATM system to an IT system is tough.  There are a lot
of different implications/costs/benefits. The PIN attack as reported in The
Register was against ATM hardware security modules (I didn't actually read
the paper, just the article).  So, it shouldn't apply to an IT system.
However, there is a different attack against fixed length one-time
passcodes:    http://www.tux.org/pub/security/secnet/papers/secureid.pdf.
So a system with variable one-time passcode lengths and 4 digit PINs may be
more secure than a 6 digit pin and a 6 digit passcode.

Nick




--
Nick Owen
CEO
WiKID Systems, Inc.
404-879-5227
nowen () wikidsystems com
http://www.wikidsystems.com
The End of Passwords
--


> -----Original Message-----
> From: Michael Martinez [mailto:mmartinez () tamsco com]
> Sent: Thursday, August 07, 2003 4:49 PM
> To: security-basics () securityfocus com
> Subject: RE: UNIX password auditing tool and the search for dictionaries
> too
>
>
> > Before you go too far with strong passwords, remember, they do more
> harm
> > than good in most cases. You trust your money to a four digit pin so
> > think about strong authentication, not strong passwords. Two factor can
> > be done with a variety of inexpensive technologies.
>
> Are you kidding me, you are under the impression that a 4 digit pin is
> secure?  I for one have no illusions about how insecure a 4 digit pin
> actually is!  Whatever security is provided by said 4 digit pin is more
> related to that fact that there are not freely available pin cracking
> tools for ATM machines...as there are password cracking tools.
>
> > Strong passwords are the number one source of denial of service in most
> > environments due to the frequent false reject problem that occurs when
> > users can't keep up with frequent changes and strong password. They're
> > also one of the highest costs for security since it's the number one
> > task for help desks and sys admins to support.
>
> As a help desk supervisor, I assure you that the related cost of time
> and money supporting the reset of passwords is minimal and therefore a
> small price to pay for increased security.
>
> ...
>
> > In terms of dictionaries, I think the aggressive approach would include
> > concatenations and number and special character injections into the
> > words. In more secure environments, were users are battered with
> monthly
> > password changes they usually inject the numeric value for the month
> > somewhere in a common word. But the point is, it's not too difficult to
> > build a really big database of words with special character and numeric
> > injections, run them through the hash algorithm and have a table to
> > check for matches.
>
> If someone were in an environment where they must change their password
> monthly...they are probably using the wrong technology.  Perhaps a
> combination of different layers would be a better solution to monthly
> changes.
>
> ...
>
> -----Original Message-----
> From: Shane Lahey [mailto:s.lahey () roadrunner nf net]
> Sent: Monday, August 04, 2003 7:38 PM
> To: james.easterling () ed gov; security-basics () securityfocus com
> Subject: RE: UNIX password auditing tool
>
> Alec Muffett Crack :: http://www.crypticide.org/users/alecm/
>
> > -----Original Message-----
> > From: james.easterling () ed gov [mailto:james.easterling () ed gov]
> > Sent: Monday, August 04, 2003 4:39 PM
> > To: security-basics () securityfocus com
> > Subject: UNIX password auditing tool
> >
> >
> >
> > I have tried searches for UNIX password cracking tools and I have come
> up
> > with little value.  Can someone direct me to passwd auditing tools
> > besides "John The Ripper" that are free or cost?
> >
> > Regards,
> > James
> ------------------------------------------------------------------------
> --
> > -
> ------------------------------------------------------------------------
> --
> > --
>
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ----
>
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ----
>
>
> ------------------------------------------------------------------
> ---------
> ------------------------------------------------------------------
> ----------



---------------------------------------------------------------------------
----------------------------------------------------------------------------