Firewall Wizards mailing list archives
RE: "Proactive" Password Checking
From: Russ <Russ.Cooper () rc on ca>
Date: Wed, 17 Nov 1999 12:53:45 -0500
One more note about passfilt.dll (with the caveat that I am not a programmer and could not code what I propose). Passfilt.dll is an application, and as such, can do anything an off-line cracker can do. So in addition to supplying it with guidance rules as to what should be in a "decent" password, there's absolutely no reason why passfilt.dll could not take the proposed password (which it receives in plaintext) and pass it through as many dictionaries one might deem appropriate. If there's a match, or partial match, the password can be rejected on that basis in addition to, or instead of, the guidance rules. Taking a plaintext and looking it up for "like" matches in on-line dictionaries of whatever size appropriate should make it reasonably impervious to crack attacks. Of course all of this assumes you are not using LanMan hashes in your network, otherwise, all of this is pretty much a waste of effort. Its really a shame that none of the NT coders from ISS or RSA are on this list. Maybe I'll put the proposal to the NTBugtraq subscribers to come up with a decent passfilt replacement as open source. Cheers, Russ - NTBugtraq Editor
Current thread:
- RE: "Proactive" Password Checking, (continued)
- RE: "Proactive" Password Checking Moore, James (Nov 14)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Bill_Royds (Nov 14)
- RE: "Proactive" Password Checking Eric Toll (Nov 15)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 15)
- Re: "Proactive" Password Checking Andreas Gunnarsson (Nov 15)
- RE: "Proactive" Password Checking sean . kelly (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 15)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Russ (Nov 17)
- Re: "Proactive" Password Checking Aleph One (Nov 18)
- RE: "Proactive" Password Checking Vin McLellan (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Matt Carothers (Nov 21)
- Re: "Proactive" Password Checking Barney Wolff (Nov 17)
- Re: "Proactive" Password Checking Eric Budke (Nov 18)
- RE: "Proactive" Password Checking Moore, James (Nov 14)