Re: "Proactive" Password Checking

[Eric Budke <budke () budke com>]

Probably 90% of successful attacks against systems could be prevented with 
basic password checkers. (I'm using the Samuel Clemens polling 
methods...throw a number out, people will probably believe it).  For those 
who have run crack or l0phtcrack often, it is scary the number of passwords 
that are cracked in the first 30 seconds (or plain dictionary 
attacks).  From an attacking standpoint, crack may not get the root 
password in a week, but who cares, I have valid user access because some 
bonehead added a 1 to the end of their username and called it a password.

There are a couple people I know who do some light statistics on password 
content to see how it varies around the world at their offices. Guess what, 
amongst the female starved tech workers, women's names are among the most 
popular world-wide.

Move to the NT side, and anytime you pull the hash, your're going to crack 
everything eventually. Just give it time.

Password lockout rules. Yea, they'd be great if people used them. Reusable 
passwords are the ultimate problem.

Pull a list of female names, a few languages dictionaries and you are going 
to break most passwords on a corporate network. This crosses national 
boundaries. The female names will probably crack a good portion of the song 
titles too.

At 02:15 PM 11/11/99 , Rick Smith wrote:
> Paul McNabb said:
>
> >>If it is known that this is your password technique, I am sure a lot of
> >>passwords will be easily cracked in short order.  >;->  There are a
>
> Eric Toll replied:
>
> >Methinks not.  The account gets locked after 5 wrong guesses.
> >*Please explain.
>
> It depends on the types of attacks you're defending against. Paul is
> undoubtedly referring to dictionary attacks. The dictionary attack is
> off-line with respect to the server under attack, so it can't detect the
> attack and lock the account. Conventional wisdom is that dictionary attacks
> are practical against most systems.
>
> >>finite number of truly popular songs.  Just listen to what a target hums
> >Sounds pretty obscure to me "just listen to what someone is humming" ?
> >or were you making a joke?  - - I can't tell.
>
> It's a variant of the "shoulder surfing" attack.
>
> >What if said person is in another state or country?
> >*Please explain
>
> One wants passwords to work locally as well as remotely. If they can't
> provide reliable local authentication, then they're not much good at all.
> Personally, I think passwords are just about worthless for really remote
> authentication (i.e. off the site's LAN), though they're somewhat more
> tolerable when used with SSL or other channel crypto protection.
>
> >I was not aware that there was lyric dictionaries on the net.  lol
> >*How bout posting some links?
>
> The fundamental problem is that English text is estimated by some to have 1
> or 1.5 bits of entropy per letter. I expect that it's about the same for
> other languages, so the entropy grows relatively slowly even if you switch
> between languages. If the attacker can mount a brute force attack then he
> can exploit the low entropy.
>
> Personally, I agree that it's useful to know which types of words and
> phrases reside in online cracker dictionaries. It at least provides a
> measure of whether attackers can be script kiddies or if they need serious
> knowledge. The absence of a dictionary does not really assure that a
> memorable password can't be cracked.
>
>
>
> Rick.
> smith () securecomputing com
> "Internet Cryptography" at http://www.visi.com/crypto/

--
PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt