Firewall Wizards mailing list archives
Re: "Proactive" Password Checking
From: "Eric Toll" <etoll () syracusesupply com>
Date: Mon, 15 Nov 1999 11:29:23 -0500
I use NDS for security and it uses the 128bit RSA engine. unlike microsofts own 64bit MD4.... I can have a password length of up to 128 characters, using NDS. NDS is available for 95/98, NT, Solaris and Compaq tru64 unix, perhaps others. Macintosh? With this you can use longer passwords, and when you have a decent length.. 20+ characters its tougher to crack. Or am I missing something?
Eric Budke <budke () budke com> 11/12/99 05:00AM >>>
Probably 90% of successful attacks against systems could be prevented with basic password checkers. (I'm using the Samuel Clemens polling methods...throw a number out, people will probably believe it). For those who have run crack or l0phtcrack often, it is scary the number of passwords that are cracked in the first 30 seconds (or plain dictionary attacks). From an attacking standpoint, crack may not get the root password in a week, but who cares, I have valid user access because some bonehead added a 1 to the end of their username and called it a password. There are a couple people I know who do some light statistics on password content to see how it varies around the world at their offices. Guess what, amongst the female starved tech workers, women's names are among the most popular world-wide. Move to the NT side, and anytime you pull the hash, your're going to crack everything eventually. Just give it time. Password lockout rules. Yea, they'd be great if people used them. Reusable passwords are the ultimate problem. Pull a list of female names, a few languages dictionaries and you are going to break most passwords on a corporate network. This crosses national boundaries. The female names will probably crack a good portion of the song titles too. At 02:15 PM 11/11/99 , Rick Smith wrote:
Paul McNabb said:If it is known that this is your password technique, I am sure a lot of passwords will be easily cracked in short order. >;-> There are aEric Toll replied:Methinks not. The account gets locked after 5 wrong guesses. *Please explain.It depends on the types of attacks you're defending against. Paul is undoubtedly referring to dictionary attacks. The dictionary attack is off-line with respect to the server under attack, so it can't detect the attack and lock the account. Conventional wisdom is that dictionary attacks are practical against most systems.finite number of truly popular songs. Just listen to what a target humsSounds pretty obscure to me "just listen to what someone is humming" ? or were you making a joke? - - I can't tell.It's a variant of the "shoulder surfing" attack.What if said person is in another state or country? *Please explainOne wants passwords to work locally as well as remotely. If they can't provide reliable local authentication, then they're not much good at all. Personally, I think passwords are just about worthless for really remote authentication (i.e. off the site's LAN), though they're somewhat more tolerable when used with SSL or other channel crypto protection.I was not aware that there was lyric dictionaries on the net. lol *How bout posting some links?The fundamental problem is that English text is estimated by some to have 1 or 1.5 bits of entropy per letter. I expect that it's about the same for other languages, so the entropy grows relatively slowly even if you switch between languages. If the attacker can mount a brute force attack then he can exploit the low entropy. Personally, I agree that it's useful to know which types of words and phrases reside in online cracker dictionaries. It at least provides a measure of whether attackers can be script kiddies or if they need serious knowledge. The absence of a dictionary does not really assure that a memorable password can't be cracked. Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/
-- PGP Key can be found at http://www.budke.com/pgp/budke_budke_com.txt
Current thread:
- Re: "Proactive" Password Checking, (continued)
- Re: "Proactive" Password Checking Zzzil (Nov 14)
- RE: "Proactive" Password Checking bhe (Nov 14)
- RE: "Proactive" Password Checking Moore, James (Nov 14)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Bill_Royds (Nov 14)
- RE: "Proactive" Password Checking Eric Toll (Nov 15)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 15)
- Re: "Proactive" Password Checking Andreas Gunnarsson (Nov 15)
- RE: "Proactive" Password Checking sean . kelly (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 15)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Russ (Nov 17)
- Re: "Proactive" Password Checking Aleph One (Nov 18)
- RE: "Proactive" Password Checking Vin McLellan (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Matt Carothers (Nov 21)
- Re: "Proactive" Password Checking Barney Wolff (Nov 17)
- Re: "Proactive" Password Checking Eric Budke (Nov 18)