Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ADS Password Storage Protection

From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 20 Jul 2006 20:49:07 -0400
There isn't any publicly domain software that specifically attacks
passphrases that I know of, but creating a tool like that should be
almost trivial for a regular programmer. It could be scripted with a few
dozen lines of code. The program would use a password dictionary and
treat each word as character, and apply varying combinations of those
words, in different forms, in varying cases, along with spaces and other
symbols to create one longer password that is then hashed and compared. 

But if one was created, mathematically, a passphrase only using words
would suddenly become much weaker than bruteforcing each character
alone. Several researchers and thinkers have concluded that a typical
passphrase containing only whole words would be less secure than a much
shorter, more complex password. And I support this idea completely.

But there aren't tools like this in the public domain, and there is no
way to guarantee real complexity on shorter passwords. Since the vast
majority of people will use a much smaller character set than is
available for them to use, the effective security of a shorter password
becomes equivalent to how smart the brute force/dictionary cracker is in
its hybrid attack.  My my experience, John the Ripper and Cain can both
be configured to guess on much smaller character sets than the password
administrators think users are availing themselves of, and hence their
shorter password aren't that much complex, just shorter.

I hate that if I want to use a 30 character long password/passphrase,
which would be much more difficult to break than a 6 character "complex"
password, that nearly every system requires that I input "complexity"
into my already uncrackable password.  

-----Original Message-----
From: Harold Winshel [mailto:winshel () camden rutgers edu] 
Sent: Thursday, July 20, 2006 8:08 PM
To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

Roger,

Just to clarify, when I mention password cracking, I'm strictly
referring to passwored cracking software.

You make good points but, for purposes of discussion I'm excluding
protection against shoulder surfing or people trying to manually guess a
password.

So, if I understand your answer - strictly in terms of a brute force
attack - any given 15-character password would be just as strong as any
other 15-character password.

If that's the case, then I go back to one of my original questions,
which is whether there is such a thing as a passphrase attack.  I am not
knowledgeable about password cracking software but it strikes me as
something that should be easy to include in a password cracking program.

Harold


At 09:14 AM 7/20/2006, Roger A. Grimes wrote:

Yes, as long as I didn't know that was your password.

To second my yes, most password crackers don't guess sequentially, they



guess randomly (birthday attack theory), so it's not even like 
aaaaaaaaaaaaa would come be guaranteed to up first before 
5adf,nasa73@#$. A dictionary attack would fail, so only brute force or 
luck could find it.

I think it would be a strange logon, easy to recreate, for someone 
shoulder surfing though.

-----Original Message-----
From: Harold Winshel [mailto:winshel () camden rutgers edu]
Sent: Thursday, July 20, 2006 6:17 AM
To: Roger A. Grimes; Depp, Dennis M.; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

Please correct me if I'm wrong.  If length is the tool for a secure 
windows passphrase then, in theory, a password of "aaaaaaaaaaaaaaa"
should be just as strong as a 15-character password consisting of 
random characters?

Thanks,



At 02:55 PM 7/18/2006, Roger A. Grimes wrote:

My conjecture is that franklyidon'tgiveadamn is pretty uncrackable as



well. No complexity, but length prevents it from being easily 
broken...non-trivial.  Pull out the complexity and the length is 
still insurmountable in most cases.

If you don't believe that then break my 123456789012345 length, no 
complexity challenges.

-----Original Message-----
From: Depp, Dennis M. [mailto:deppdm () ornl gov]
Sent: Tuesday, July 18, 2006 8:36 AM
To: winshel () camden rutgers edu; security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

The phrase you gave, "frankly, my dear, I don't give a damn" meets 
most



definitions of complexity.  I has upper and lower case letters and 
special characters.

Dennis

-----Original Message-----
From: winshel () camden rutgers edu [mailto:winshel () camden rutgers edu]
Sent: Saturday, July 15, 2006 12:25 AM
To: security-basics () securityfocus com
Subject: Re: RE: ADS Password Storage Protection

I've read and heard many sources say this same thing, i.e., that, for



windows systems, length is stronger than short and complex.  And that



a
15 character or longer password can be a real phrase and it will be a



secure password.


I can see why a long password that consists of a real phrase - such 
as "frankly, my dear, I don't give a damn" - would be just as secure 
as an



equally long complex password, in terms of protection against a brute



force attack.


I don't know much about password cracking programs but am surprised 
that, while they would be working  on a brute force attack, they 
wouldn't be able to try a lot of commonly-used phrases at the same

time.



If some password cracking programs can use a dictionary attack, 
couldn't there also be something called a passphrase attack?  Would 
it be difficult for a password cracker to digitize Bartlett's Book of



Quotations and include that in an attack on a password?

---------------------------------------------------------------------
--
-
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and 
practice to master. We can't teach you to hack. But we can teach you 
what we've learned so far. Our courses are honest, real, technical

and practical.

SensePost willl be at Black Hat Vegas in July. To see what we're 
about,



visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------
--
-
---


---------------------------------------------------------------------
--
-
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and 
practice to master. We can't teach you to hack. But we can teach you 
what we've learned so far. Our courses are honest, real, technical

and practical.

SensePost willl be at Black Hat Vegas in July. To see what we're 
about,



visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------
--
-
---


Harold Winshel
Computing and Instructional Technologies Faculty of Arts & Sciences 
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
(856) 225-6669 (O)


Harold Winshel
Computing and Instructional Technologies Faculty of Arts & Sciences
Rutgers University, Camden Campus
311 N. 5th Street, Room B36 Armitage Hall Camden NJ 08102
(856) 225-6669 (O)


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: