RE: ADS Password Storage Protection

["Depp, Dennis M." <deppdm () ornl gov>]

Do you audit for attempts using brute force to guess passwords?  What
you are describing is a brute force password attempt using well known
pass phrases.  A better pass phase might be something personal like.  "I
have three children and a beautiful wife who stands 5' 7"."  This will
be difficult to guess and will not be found in Bartlett's Book of
Quotations.

Dennis

-----Original Message-----
From: Harold Winshel [mailto:winshel () camden rutgers edu] 
Sent: Tuesday, July 18, 2006 8:41 AM
To: Depp, Dennis M.; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

Dennis,

Yes, I do realize that, but I wonder about two potential problems.  One,
it consists of real words and two, it's a phrase that probably exists
verbatim - punctuation and all - in numerous sources that I figure would
be easily digitized.  So my question is couldn't something like
Bartlett's Book of Quotations, or any other number of compilations of
common phrases and sayings, be included as part of a passphrase cracking
program?

That is, if a dictionary can be thrown at a password, why couldn't a
book of phrases also be thrown at a password?

Harold


At 08:35 AM 7/18/2006, Depp, Dennis M. wrote:
> The phrase you gave, "frankly, my dear, I don't give a damn" meets most

> definitions of complexity.  I has upper and lower case letters and 
> special characters.
>
> Dennis
>
> -----Original Message-----
> From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu]
> Sent: Saturday, July 15, 2006 12:25 AM
> To: security-basics () securityfocus com
> Subject: Re: RE: ADS Password Storage Protection
>
> I've read and heard many sources say this same thing, i.e., that, for 
> windows systems, length is stronger than short and complex.  And that a
> 15 character or longer password can be a real phrase and it will be a 
> secure password.
>
>
> I can see why a long password that consists of a real phrase - such as 
> "frankly, my dear, I don't give a damn" - would be just as secure as an

> equally long complex password, in terms of protection against a brute 
> force attack.
>
>
> I don't know much about password cracking programs but am surprised 
> that, while they would be working  on a brute force attack, they 
> wouldn't be able to try a lot of commonly-used phrases at the same
time.
> If some password cracking programs can use a dictionary attack, 
> couldn't there also be something called a passphrase attack?  Would it 
> be difficult for a password cracker to digitize Bartlett's Book of 
> Quotations and include that in an attack on a password?
>
> -----------------------------------------------------------------------
> -
> ---
> This list is sponsored by: SensePost
>
> Hacking, like any art, will take years of dedicated study and practice 
> to master. We can't teach you to hack. But we can teach you what we've 
> learned so far. Our courses are honest, real, technical and practical.
> SensePost willl be at Black Hat Vegas in July. To see what we're about,

> visit us at:
>
> http://www.sensepost.com/training.html
> -----------------------------------------------------------------------
> -
> ---

Harold Winshel
Computing and Instructional Technologies Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
(856) 225-6669 (O)


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------