Security Basics mailing list archives
Re: Password Cracking
From: "Steve" <securityfocus () delahunty com>
Date: Fri, 17 Sep 2004 13:26:27 -0400
Agreed about monitoring/logging. Also agreed that using systems like SecureID is much better. In the process of trying to compromise our passwords, during a vulnerability assessment the security vendor we hired locked out many of our accounts. They way they finally got in was to find some passwords that people had stored in other less secure systems and try them on their NT account logins. Consider also that your password store, like an NT SAM, should be encrypted and not open for an app like LC to hammer. Also, a system to also monitor event logs should maybe alert on bad password attempts and if you see a trend you should think security issues might be the cause. Of couse you will also get many instances of plain old users forgetting their passwords. ----- Original Message ----- From: "James McGee" <J.McGee () syn-tec com> To: <tman () ollopa com>; "xyberpix" <xyberpix () xyberpix com> Cc: "Fabio Miranda Hamburger" <fabmirha () ns isi ulatina ac cr>; <simont () pop co za>; "Security Basics[List]" <security-basics () securityfocus com> Sent: Thursday, September 16, 2004 6:27 PM Subject: RE: Password Cracking But one thing to remember is that any decent password and account policy will have the user accounts locked out after 3/5/10 failed attempts, and your monitoring and logging system will pick it up, Won't it? -----Original Message----- From: tman () ollopa com [mailto:tman () ollopa com] Sent: 16 September 2004 04:57 To: xyberpix Cc: Fabio Miranda Hamburger; simont () pop co za; Security Basics[List] Subject: Re: Password Cracking I create two accounts today. Test1 with the password noted below ( k;!p-__f, ) and Test2 with the password 4U_'Tis_a_long_password. LC4 cracked Test1 in 4h17m39s. It has not yet cracked Test2. I suspect that it will take almost 3 weeks ( LC4 is saying it will take 19d20h... ). Past experience tells me that it will crack it. So, knowing that every password can be broken ( its just a matter of time ) I'm now an advocate of one time passwords ( like RSA SecurID ). I had been an advocate of PKI but having seen the the use of keyboard loggers to compromise an enterprise's PKI infrastructure, I'm now off that bandwagon. --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
Current thread:
- RE: Password Cracking, (continued)
- RE: Password Cracking Andrew Shore (Sep 13)
- RE: Password Cracking Jonathan Loh (Sep 15)
- Re: Password Cracking Dave Aronson (Sep 18)
- RE: Password Cracking Nick Owen (Sep 15)
- RE: Password Cracking William Baglivio (Sep 15)
- RE: Password Cracking easternerd (Sep 23)
- Re: Password Cracking GuidoZ (Sep 15)
- Re: Password Cracking David J. Bianco (Sep 16)
- RE: Password Cracking Jonathan Loh (Sep 15)
- RE: Password Cracking BĂ©noni MARTIN (Sep 16)
- RE: Password Cracking James McGee (Sep 16)
- Re: Password Cracking Steve (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 17)
- RE: Password Cracking Kenton Smith (Sep 19)
- RE: Password Cracking Dave Aronson (Sep 22)
- RE: Password Cracking Andrew Shore (Sep 13)