Bugtraq mailing list archives
Re: Not so much a bug as a warning of new brute force attack
From: shaunl () march co uk (Shaun Lowry)
Date: Tue, 4 Jun 1996 10:12:13 +0100
"Brett L. Hawn" <blh () nol net> wrote:
You can lead a user to a good password but you can only make them use it for so long.
Is this not desirable? The longer they keep that good password, the worse it gets. Make them choose another good password!
Not to mention anyone with the time and desire can create a fairly nifty 'dictfile' like I did a few years back. All it takes is some simple brain power and a LOT of disk space, a quick file that prints all variations of 5-8 charater length combinations to a file. I stopped mine at 238megs and it was still going strong.
When talking in terms of attacking a daemon across a relatively low-bandwidth network (as we were), a dictionary attack on 238Mb of passwords is a) going to take a long time and b) hopefully won't go unnoticed. Agreed, if you have the encrypted passwords locally and have plenty of CPU time to spare, knock yourself out. If someone *really* wants to crack a publically accessible account on your system they will, but this implies a finely targetted attack. Most attackers will ask themselves the question "Where can I get in easily?" rather than "How do I get in here?"
Brett
Shaun. -- Shaun Lowry | March Systems Ltd., http://www.march.co.uk/ PGP Key available | 14 Brewery Court, High St., from key servers or | Theale, UK. RG7 5AJ via e-mail on request | +44 1734 304224
Current thread:
- [linux-alert] Serious Security hole in getpwnam () [Forwarded, (continued)
- [linux-alert] Serious Security hole in getpwnam () [Forwarded Jeff Uphoff (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Aaron Merifield (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 03)
- pop3 daemon with syslog logging Gunnar Ingvi Thorisson (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Alan Brown (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Brian Davidson (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Russell Street (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Joe Block (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Thayne Forbes (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Steve Chew (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Shaun Lowry (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Valdis.Kletnieks () vt edu (Jun 04)
- rexec brute bastard (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Brett L. Hawn (Jun 03)
- Selecting Good Passwords mdr () vodka sse att com (Jun 04)
- brute force *Hobbit* (Jun 04)
- Re: brute force Christopher Klaus (Jun 04)
- Re: brute force Tom Fitzgerald (Jun 05)
- Re: brute force Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
- help TaeJin Hong (Jun 07)