Bugtraq mailing list archives

Re: Not so much a bug as a warning of new brute force attack

From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Wed, 5 Jun 1996 19:44:13 -0400

[...POP as a way to brute-force passwords...]

Why not just change the system so that it wont accept a dictionary
name as a valid password[?]


Many systems do exactly that already, as several people have poinetd
out.

The main way to crack password files seems to involve using
dictionary files (that you can easily get from the net) and using
brute force to compare the encrypted dictionary words to the
encrypted passwords.


True, but irrelevant to the POP discussion, since the attacker is not
doing the encrypt-and-compare.  If you don't trust your password
database to stay secret - and I don't, not on any machine with more
than a handful of users - then dictionary cracking is a real danger.
If you want to stop it, the simplest thing to do is to modify or
replace the hashing algorithm.  Under NetBSD, I completely replaced it,
with one based on MD5 and with much higher iteration count limits;
under vendor binary-only systems, I so far have found I can tweak the
provided libc to change the DES repeat count from 25 to (if memory
serves) 4095, an inherent gain in difficulty of over 150 and a
practical gain of much more because stock cracking programs simply
won't work (if such things become common, the practical gain diminishes
to approach the inherent gain, of course).  I also found I could change
the constant the algorithm starts off with, which is of little value
except that the new constant is not stored anywhere trivial for users
to pick up and thus easy for crackers to social-engineer out of us; it
just increases the "practical gain" factor a bit and was easy to do.

But of course this runs into a cost/benefit tradeoff.  The main reason
I invested the effort is that we _know_ we've been compromised in the
past through someone scamming our password database - probably through
no-brainer social engineering - and dictionary-cracking it on big iron
elsewhere.

As for POP, yeah, log failed attempts, dump the connection after some
small number of failures (I've seen 1 and 3 mentioned), and sleep for a
second or two before even attempting an access check, those should
defeat brute-forcing you that way.  (Defeating a denial-of-service
attack is a _lot_ harder, but that problem is hardly POP-specific.)

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

Re: Not so much a bug as a warning of new brute force attack, (continued)
- - Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 08)
    - Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)
- Re: Not so much a bug as a warning of new brute force attack Stefan Hudson (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Seguridad (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Thomas Roessler (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Andrew Macpherson (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack John Orthoefer (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Don Lewis (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Dave Hayes (Jun 04)
  - Re: Not so much a bug as a warning of new brute force attack Albert Lunde (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack der Mouse (Jun 05)
- Re: Not so much a bug as a warning of new brute force attack der Mouse (Jun 09)
  - Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 09)