Re: Not so much a bug as a warning of new brute force attack

[taob () io org (Brian Tao)]

On Mon, 3 Jun 1996, Aaron Merifield wrote:
> Why not just change the system so that it wont accept a dictionary
> name as a valid password.  Six to eight characters and at least 1 or 2
> numbers would make it a little more difficult too.

    We did just that a few months ago after running through our
/etc/master.passwd and cracking some 1800 accounts in total.  All
accounts were expired at once and a replacement /usr/bin/passwd linked
with CrackLib was installed.  The extra time needed to do a thorough
check of a newly supplied password against a large dictionary and the
Crack ruleset is negligible, but it decreases the guessability of new
passwords to nearly zero.

    Another good trick, if your OS supports it, is to use an alternate
hash method and long passwords.  Our servers run FreeBSD.  It has the
option of using either DES or MD5 encryption.  The public servers use
DES for compatibility, but internal machines have the default MD5 libs
installed.  I would suspect that your average hacker wouldn't know
what to do if he found "$1$rEU5lGMq$x5g.f98lqkUfQ8rn89foQl" in the
encrypted password field.

    Long passwords are not only exponentially more difficult to guess
than short ones, they can ironically be easier to remember.  For
example, "In London, April is a spring month." is a perfectly good
password and not subject to truncation (FreeBSD's _PASSWORD_LEN is
128).  Toss in some transformations, "InLndn:AprilIsAspringMonth",
and you have something virtually unguessable yet you don't need to
write it down anywhere.
--
Brian Tao (BT300, taob () io org, taob () ican net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"