RE: "Proactive" Password Checking

["Moore, James" <James.Moore () MSFC NASA GOV>]

Amen, brother. 

The only thing I'd add to Russ' comments are that passfilt.dll's activities
must be constrained to assure the server does not get bogged down doing
extensive dictionary searches/trial-and-error crack attempts... I still feel
this belongs on the "back end". PDCs have more to do than pound on
passwords.

Jim Moore
256.461.4381

----------- PGP PUBLIC KEY FINGERPRINT ------------
1D9C 3AC3 34E6 EEDF 22B9  7886 7797 6908 048F 049B
---------------------------------------------------


> -----Original Message-----
> From: Russ [SMTP:Russ.Cooper () rc on ca]
> Sent: Wednesday, November 17, 1999 11:54 AM
> To:   'Moore, James'; firewall-wizards () lists nfr net
> Subject:      RE: "Proactive" Password Checking
>
> One more note about passfilt.dll (with the caveat that I am not a
> programmer
> and could not code what I propose).
>
> Passfilt.dll is an application, and as such, can do anything an off-line
> cracker can do. So in addition to supplying it with guidance rules as to
> what should be in a "decent" password, there's absolutely no reason why
> passfilt.dll could not take the proposed password (which it receives in
> plaintext) and pass it through as many dictionaries one might deem
> appropriate. If there's a match, or partial match, the password can be
> rejected on that basis in addition to, or instead of, the guidance rules.
>
> Taking a plaintext and looking it up for "like" matches in on-line
> dictionaries of whatever size appropriate should make it reasonably
> impervious to crack attacks. Of course all of this assumes you are not
> using
> LanMan hashes in your network, otherwise, all of this is pretty much a
> waste
> of effort.
>
> Its really a shame that none of the NT coders from ISS or RSA are on this
> list. Maybe I'll put the proposal to the NTBugtraq subscribers to come up
> with a decent passfilt replacement as open source.
>
> Cheers,
> Russ - NTBugtraq Editor