Re: Password Cracking

["Steve" <securityfocus () delahunty com>]

Agreed about monitoring/logging.  Also agreed that using systems like
SecureID is much better.

In the process of trying to compromise our passwords, during a vulnerability
assessment the security vendor we hired locked out many of our accounts.
They way they finally got in was to find some passwords that people had
stored in other less secure systems and try them on their NT account logins.

Consider also that your password store, like an NT SAM, should be encrypted
and not open for an app like LC to hammer.

Also, a system to also monitor event logs should maybe alert on bad password
attempts and if you see a trend you should think security issues might be
the cause.  Of couse you will also get many instances of plain old users
forgetting their passwords.


----- Original Message ----- 
From: "James McGee" <J.McGee () syn-tec com>
To: <tman () ollopa com>; "xyberpix" <xyberpix () xyberpix com>
Cc: "Fabio Miranda Hamburger" <fabmirha () ns isi ulatina ac cr>;
<simont () pop co za>; "Security Basics[List]"
<security-basics () securityfocus com>
Sent: Thursday, September 16, 2004 6:27 PM
Subject: RE: Password Cracking


But one thing to remember is that any decent password and account policy
will have the user accounts locked out after 3/5/10 failed attempts, and
your monitoring and logging system will pick it up,

Won't it?



-----Original Message-----
From: tman () ollopa com [mailto:tman () ollopa com]
Sent: 16 September 2004 04:57
To: xyberpix
Cc: Fabio Miranda Hamburger; simont () pop co za; Security Basics[List]
Subject: Re: Password Cracking

I create two accounts today.  Test1 with the password noted below (
k;!p-__f, ) and Test2 with the password 4U_'Tis_a_long_password.

LC4 cracked Test1 in 4h17m39s.  It has not yet cracked Test2.  I suspect
that it will take almost 3 weeks ( LC4 is saying it will take 19d20h...
).
 Past experience tells me that it will crack it.

So, knowing that every password can be broken ( its just a matter of
time
) I'm now an advocate of one time passwords ( like RSA SecurID ).  I had
been an advocate of PKI but having seen the the use of keyboard loggers
to
compromise an enterprise's PKI infrastructure, I'm now off that
bandwagon.





---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------