Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Password Cracking

From: "Kenton Smith" <ksmith () chartwelltechnology com>
Date: Fri, 17 Sep 2004 16:02:30 -0600
No, these password cracking utils aren't trying to logon, they're running
against your Windows password DB or your Unix password/shadow files.
Therefore, account policies have nothing to do with it. Also, anyone trying
to crack passwords illegally (i.e. hacking), aren't going to use your
machine. They're going to grab the necessary files and use their own machine
on their own time.
There are a couple of things that have confused me about this thread and so
I decided to jump in.
What is the purpose of the password cracking? Are you just trying to audit
for policy compliance or are you trying to get a password for a user who has
forgotten their password?
If you are auditing for compliance, you don't need to crack everyone's
password. You only need to crack the ones that aren't in policy compliance.
This can usually be done fairly quickly and easily.
If you are trying to crack a password because the user has forgotten theirs,
you may be going for a while if the password is a good one.
If you're just trying to crack passwords for the heck of it, you'll always
be able to crack it eventually, all you need is time and a powerful
computer. No password is uncrackable, that's what brute force cracking is
all about, it will try every available combination until it is successful.
That might be 2 hours, 2 months, or 2 years but it'll crack it eventually.

Kenton

-----Original Message-----
From: James McGee [mailto:J.McGee () syn-tec com] 
Sent: Thursday, September 16, 2004 4:28 PM
To: tman () ollopa com; xyberpix
Cc: Fabio Miranda Hamburger; simont () pop co za; Security Basics[List]
Subject: RE: Password Cracking

But one thing to remember is that any decent password and account policy
will have the user accounts locked out after 3/5/10 failed attempts, and
your monitoring and logging system will pick it up, 

Won't it?


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: