Security Basics mailing list archives

RE: Password Cracking

From: "easternerd" <easternerd () gmx net>
Date: Mon, 20 Sep 2004 23:45:26 +0530

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ditto here,
I am always a great fan of 2 factor authentication, Something you
have + something you know!
When an organisation is small and the userbase is small we can afford
having Helpdesk sort out password reset issues.
Butwhen it comes to a big organisation say for example running into a
couple of 1000's then its gonna be difficult.
We need tools and and processes that are advanced in nature and which
utilise Cryptographic mechanisms.

I work in a company having 2 factor authentication for remote access
clients. All employees are equipped with a smart card and reader and
if at all they loose the pin of the smartcard they still have a
website where they can go and get the challenge hash, and use it to
recover the pin code of the smartcard. Thus enabling automated full
scale security with less overhead to helpdesk.

Email Correspondence :
easternerd () gmx net
easternerd () eml cc
Website :
http://www.cryptography.tk
http://www.securityrisk.org


- -----Original Message-----
From: William Baglivio [mailto:wbaglivio () yahoo com] 
Sent: Tuesday, September 14, 2004 7:51 AM
To: security-basics () securityfocus com
Subject: RE: Password Cracking

I've always prefered a token-based solution (like SecureID by RSA).

This allows users to have a simple-to-remember pin along with a key
randomly generated by a physical token device.  You can configure
most (if not all) of your security sensitive systems to use the same
pin/token with the only way for non-authorized personel to gain acess
being to gain physical access to the token along with the user's pin.

The key to this working is to be on the ball with deactivating
lost/missing/terminated tokens.

It isn't perfect, no system is, but I've always felt that a dynamic
system is better then a static one, no matter how convoluted and
involved the static solution (complext passcodes, ect) may be.  In
addition, a token-based system is generaly far cheaper then deploying
fingerprint id tech and the ilk.

- -William Baglivio


- --- Andrew Shore <andrew.shore () holistecs com> wrote:

I think one issue that is being over looked here is the networks 
weakest point, the users.

I have worked for many large (in terms of user base) companies and
the  biggest problem is to first explain how to create a complex
password  and the second is to get them to remember it.

When ever I have tried to get strong passwords into an organisation
 the first problem is the huge increase in users calling the
helpdesk  because they've forgotten the password, with all the
identification  issues that generates. Then there is the scrap of
paper under the  keyboard because the new passwords are "too hard"

If you work in a very secure environment you have to use some form
of  strong authentication, probably a two factor solution, but this
can  not be rolled out for the masses (cost!)

So a line has to be drawn. I don't have the answer but I know from 
bitter experience the costs of tying down general user passwords
too  far.

Just my 2 cents

Andy

-----Original Message-----
From: \ber GuidoZ [mailto:uberguidoz () gmail com]
Sent: 11 September 2004 19:30
To: Teo Gomez
Cc: Andrew Shore; Simon Zuckerbraun;
security-basics () securityfocus com
Subject: Re: Password Cracking

While it's true that "October10,1977" is a strong password by most 
rules, I'd beg to differ that it is a good password.
Due to the ease
of social engineering, it may not be. I, for one, will test common 
dates (birthdays, anniversaries, etc) in all forms first, when
looking  for a password. (All forms means backwards, forwards,
short hand, long  hand, etc). Most people use these as passwords
since they are easy to  remember. The next step when using
"trial-and-error"
method is names
of those close to them (family, loved ones, pets, etc). You may be 
surprised how easy it is simply guess a password when you try.

If you would like to use something easy to remember, try at least 
swapping something around, but not in a usual way.
Like make it
"Rctobeo" (swapped the O and R) or "7197" (instead of 1977)...
something to that effect. I usually don't try those types of swaps 
until I use a brute force method. On a side note, while it's better
 then nothing, and adding a "1" to a name isn't a way to secure it 
either. =P I will try that 3rd.


On Fri, 10 Sep 2004 14:23:17 -0400, Teo Gomez 
<tgomez () ubiquitelpcs com> wrote:

Even enforcing complex passwords does not

guarantee that passwords be

'strong.'  For example, October20,1977 is my

birthday, and is a strong

password.  Try and get users to use pass phrases

instead of passwords.

For example, My cat's hair is blue, is a complex

pass phrase.


Teo

-----Original Message-----
From: Andrew Shore

[mailto:andrew.shore () holistecs com]

Sent: Wednesday, September 08, 2004 4:37 AM
To: Simon Zuckerbraun;

security-basics () securityfocus com

Subject: RE: Password Cracking

Depending up on the servers strong passwords can

be enforced.


NT4 SP4 and Win2k AD support this as do most Linux

distributions.


That way you don't need to check the passwords.

-----Original Message-----
From: Simon Zuckerbraun

[mailto:szucker () sst-pr-1 com]

Sent: 05 September 2004 04:05
To: security-basics () securityfocus com
Subject: RE: Password Cracking

If I understand correctly, LC is capable of doing

what you're asking.


Simon

-----Original Message-----
From: Eoin Fleming [mailto:rtfm () o2 ie]
Sent: Friday, August 27, 2004 4:44 PM
To: security-basics () securityfocus com
Subject: Password Cracking

Bit of an unusual one -

Lets imagine you are a security administrator at a

company - strong

passwords are enforced but you suspect that there

may be exceptions and

you want to raise management awareness of breaches

of the password

policy BUT you can't run cracking software as then

you will know

individuals passwords - which you don't want to

know as this breaks

acountability rather nicely.

In short - is there software that can perform the

function of LC and

John without giving the admin the password but

rather rate the password

against against a set criteria?

- ----------------------------------------------------------------------
- -----

Computer Forensics Training at the InfoSec Institute. All of our
class  sizes are guaranteed to be 12 students or less to facilitate
one-on-one interaction with one of our expert instructors. Gain the
 in-demand skills of a certified computer examiner, learn to
recover  trace data left behind by fraud, theft, and cybercrime
perpetrators.  Discover the source of computer crime and abuse so
that it never 
happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.ht
ml

- ----------------------------------------------------------------------
- ------



- ----------------------------------------------------------------------
- -----
Computer Forensics Training at the InfoSec Institute. All of our
class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left
behind by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.ht
ml
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQEVAwUBQU8ePexhEq37a08BAQJ75wf/WK052a5reOB7fzxR1eAnI3VQEuJB8IkZ
cRdHkRQEY4DrFUqHPeMuWXVQCXZjrYoMIN06JNJZeLsUTU59bla3JVAA53RCCBp4
51qW43msbEBo4gUKgeB5K4xWeWxNd84JV5NTyjaRE0+t4+ImOFR6wPwn9aalpyvT
ib3b/jsXHIQvCSlbroJnKVw2v7plJ1wpL0SzpFEdkSDM66POAY+yd9fR95aKOYvf
NS9BYHbp3N2PoxN4s4TXSY8qk9wI16h5g+kJD5P5kApcDezxtGAgLwR+xdERxvoO
QeHRHG4TSV0xsE3mUGn2K/bEL+zXBxjXD37DygTWpG6bx0vfbEjbBA==
=KS0X
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Current thread:

Re: Password Cracking, (continued)
- - Re: Password Cracking Über GuidoZ (Sep 13)
- RE: Password Cracking Sadler, Connie (Sep 10)
- RE: Password Cracking Michael Shirk (Sep 11)
  - Re: Password Cracking Steve (Sep 13)
    - Re: Password Cracking Miles Stevenson (Sep 18)
- RE: Password Cracking Andrew Shore (Sep 13)
  - RE: Password Cracking Jonathan Loh (Sep 15)
    - Re: Password Cracking Dave Aronson (Sep 18)
  - RE: Password Cracking Nick Owen (Sep 15)
  - RE: Password Cracking William Baglivio (Sep 15)
    - RE: Password Cracking easternerd (Sep 23)
  - Re: Password Cracking GuidoZ (Sep 15)
    - Re: Password Cracking David J. Bianco (Sep 16)
- RE: Password Cracking Bénoni MARTIN (Sep 16)
- RE: Password Cracking James McGee (Sep 16)
  - Re: Password Cracking Steve (Sep 17)
  - RE: Password Cracking Kenton Smith (Sep 17)
  - RE: Password Cracking Kenton Smith (Sep 19)
- RE: Password Cracking Dave Aronson (Sep 22)