Firewall Wizards mailing list archives

Re: "Proactive" Password Checking

From: Aleph One <aleph1 () underground org>
Date: Wed, 17 Nov 1999 22:19:44 -0800

On Wed, Nov 17, 1999 at 12:53:45PM -0500, Russ wrote:

One more note about passfilt.dll (with the caveat that I am not a programmer
and could not code what I propose).

Passfilt.dll is an application, and as such, can do anything an off-line
cracker can do. So in addition to supplying it with guidance rules as to
what should be in a "decent" password, there's absolutely no reason why
passfilt.dll could not take the proposed password (which it receives in
plaintext) and pass it through as many dictionaries one might deem
appropriate. If there's a match, or partial match, the password can be
rejected on that basis in addition to, or instead of, the guidance rules.

Taking a plaintext and looking it up for "like" matches in on-line
dictionaries of whatever size appropriate should make it reasonably
impervious to crack attacks. Of course all of this assumes you are not using
LanMan hashes in your network, otherwise, all of this is pretty much a waste
of effort.


Well not quite. An off-line password cracker has as many hours and days
as it would like to work its magic. Passfilt.dll must respond to the
user in almost real time. Also password crackers start from a dictionary
work and try to come up with possible password. Something like passfilt.dll
does the opposite. It starts with a password and must determine if it
derives from a dictionary word (or phrase).

Its really a shame that none of the NT coders from ISS or RSA are on this
list. Maybe I'll put the proposal to the NTBugtraq subscribers to come up
with a decent passfilt replacement as open source.


It would indeed be a valuable addition. This problem has already been
solved under Unix in the form of cracklib. It would be nice not to reinvent 
the wheel and attempt to port the library to Win32.

Further notice that passfilt.dll does not have an interface to return 
and error message to the user (last time I checked). Instead the user
will get the generic password change error message. This will be very
confusing to the user if their password actually meets the generic
password requirements but does not meet those of passfilt.dll.
I don't think Microsoft ever got around to fixing this.

What the hell any of this has to do with firewalls is beyond me.

Cheers,
Russ - NTBugtraq Editor


-- 
Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: "Proactive" Password Checking, (continued)
- - Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Bill_Royds (Nov 14)
- RE: "Proactive" Password Checking Eric Toll (Nov 15)
  - Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 15)
- Re: "Proactive" Password Checking Andreas Gunnarsson (Nov 15)
- RE: "Proactive" Password Checking sean . kelly (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 15)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Russ (Nov 17)
  - Re: "Proactive" Password Checking Aleph One (Nov 18)
- RE: "Proactive" Password Checking Vin McLellan (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
  - RE: "Proactive" Password Checking Matt Carothers (Nov 21)
- Re: "Proactive" Password Checking Barney Wolff (Nov 17)
  - Re: "Proactive" Password Checking Eric Budke (Nov 18)