Firewall Wizards mailing list archives
Re: "Proactive" Password Checking
From: Aleph One <aleph1 () underground org>
Date: Wed, 17 Nov 1999 22:19:44 -0800
On Wed, Nov 17, 1999 at 12:53:45PM -0500, Russ wrote:
One more note about passfilt.dll (with the caveat that I am not a programmer and could not code what I propose). Passfilt.dll is an application, and as such, can do anything an off-line cracker can do. So in addition to supplying it with guidance rules as to what should be in a "decent" password, there's absolutely no reason why passfilt.dll could not take the proposed password (which it receives in plaintext) and pass it through as many dictionaries one might deem appropriate. If there's a match, or partial match, the password can be rejected on that basis in addition to, or instead of, the guidance rules. Taking a plaintext and looking it up for "like" matches in on-line dictionaries of whatever size appropriate should make it reasonably impervious to crack attacks. Of course all of this assumes you are not using LanMan hashes in your network, otherwise, all of this is pretty much a waste of effort.
Well not quite. An off-line password cracker has as many hours and days as it would like to work its magic. Passfilt.dll must respond to the user in almost real time. Also password crackers start from a dictionary work and try to come up with possible password. Something like passfilt.dll does the opposite. It starts with a password and must determine if it derives from a dictionary word (or phrase).
Its really a shame that none of the NT coders from ISS or RSA are on this list. Maybe I'll put the proposal to the NTBugtraq subscribers to come up with a decent passfilt replacement as open source.
It would indeed be a valuable addition. This problem has already been solved under Unix in the form of cracklib. It would be nice not to reinvent the wheel and attempt to port the library to Win32. Further notice that passfilt.dll does not have an interface to return and error message to the user (last time I checked). Instead the user will get the generic password change error message. This will be very confusing to the user if their password actually meets the generic password requirements but does not meet those of passfilt.dll. I don't think Microsoft ever got around to fixing this. What the hell any of this has to do with firewalls is beyond me.
Cheers, Russ - NTBugtraq Editor
-- Aleph One / aleph1 () underground org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: "Proactive" Password Checking, (continued)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Bill_Royds (Nov 14)
- RE: "Proactive" Password Checking Eric Toll (Nov 15)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 15)
- Re: "Proactive" Password Checking Andreas Gunnarsson (Nov 15)
- RE: "Proactive" Password Checking sean . kelly (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 15)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Russ (Nov 17)
- Re: "Proactive" Password Checking Aleph One (Nov 18)
- RE: "Proactive" Password Checking Vin McLellan (Nov 17)
- RE: "Proactive" Password Checking Moore, James (Nov 17)
- RE: "Proactive" Password Checking Matt Carothers (Nov 21)
- Re: "Proactive" Password Checking Barney Wolff (Nov 17)
- Re: "Proactive" Password Checking Eric Budke (Nov 18)