Educause Security Discussion mailing list archives

Re: Passwords & Passphrases

From: Zach Jansen <zjanse20 () CALVIN EDU>
Date: Tue, 20 Nov 2007 13:54:18 -0500

On 11/19/2007 at 3:01 PM, in message <4741EBAD.2010903 () albany edu>, Martin

Manjak <mm376 () ALBANY EDU> wrote:

This is a tangential topic, but I was wondering if anyone on the list 
was familiar with brute force tools that would work against web forms. 
My concern is that without some kind of lock out policy, an account with 
a 8 character password would be vulnerable to a brute force attack.



You may want to look at Brutus or THC Hydra if you want to run password guessing attacks against login forms. However, 
I agree with Gary Flynn's response that this tactic isn't really very useful except to audit against really basic 
dictionary based passwords or default passwords because of the time involved with a large number of attempts. 

Zach 


-- 

Zach Jansen
Information Security Officer
Calvin College
Phone: 616.526.6776
Fax: 616.526.8550

Current thread:

Re: Passwords & Passphrases, (continued)
- Re: Passwords & Passphrases Mike Porter (Nov 20)
- Re: Passwords & Passphrases Willis Marti (Nov 20)
- Re: Passwords & Passphrases Bob Bayn (Nov 20)
- Re: Passwords & Passphrases Steven Carmody (Nov 20)
- Re: Passwords & Passphrases Roger Safian (Nov 20)
- Re: Passwords & Passphrases Harold Winshel (Nov 20)
- Re: Passwords & Passphrases Steven Alexander (Nov 20)
- Re: Passwords & Passphrases John Ladwig (Nov 20)
- Re: Passwords & Passphrases Ozzie Paez (Nov 20)
- Re: Passwords & Passphrases David Harley (Nov 20)
- Re: Passwords & Passphrases Zach Jansen (Nov 20)
- Re: Passwords & Passphrases Gary Flynn (Nov 20)
- Re: Passwords & Passphrases Matthew Gracie (Nov 20)
- Re: Fwd: Passwords & Passphrases Andrea Beesing (Nov 20)
- Re: Passwords & Passphrases Eric Case (Nov 21)
- Re: Passwords & Passphrases Andrea Beesing (Nov 25)
- Re: Passwords & Passphrases Kees Leune (Nov 26)
- Re: Passwords & Passphrases Paul Keser (Nov 26)