Bugtraq mailing list archives

Re: Not so much a bug as a warning of new brute force attack

From: broadley () MATH Ucdavis EDU (Bill Broadley)
Date: Mon, 3 Jun 1996 13:21:26 -0700


Brett L. Hawn writes:


Given a file full of usernames and the standard 'dict file' one can

Solution:

Implement random delay times, logging, and disconnection within the pop3
daemom



Why not just change the system so that it wont accept a dictionary name as
a valid password.  Six to eight characters and at least 1 or 2 numbers
would make it a little more difficult too.
The main way to crack password files seems to involve using dictionary
files (that you can easily get from the net) and using brute force to
compare the encrypted dictionary words to the encrypted passwords.
Therefore just dont allow dictionary words as passwords.  Although the
number you can still make your own dictionary files of random characters,
the percentage of people that would even bother drops big time, IMO.


One or two numbers has little effect on security.  Most users use 0,1,9 or
00,11,99.  Crack come configured to test for such things, and adding
additional tests is trivial.



--
Bill Broadley           Broadley () math ucdavis edu           UCD Math Sys-Admin
Linux is great.         http://ucdmath.ucdavis.edu/~broadley            PGP-ok

Current thread:

help, (continued)
- - - help TaeJin Hong (Jun 07)
    - HP-UX B.10.01 vulnerability Aleph One (Jun 07)
    - Strange changes - any ideas? Fred Cohen (Jun 08)
    - Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
    - Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
    - Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
    - Re: Strange changes - any ideas? Darren Reed (Jun 10)
    - Vulnerability Database Christopher Klaus (Jun 10)
    - Re: brute force Ze'ev Maor (Jun 04)
    - Re: brute force simes () tcp co uk (Jun 04)
  - Re: Not so much a bug as a warning of new brute force attack Bill Broadley (Jun 03)
  - Re: Not so much a bug as a warning of new brute force attack Brian Tao (Jun 08)
    - Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)
- Re: Not so much a bug as a warning of new brute force attack Stefan Hudson (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Seguridad (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Thomas Roessler (Jun 03)
- Re: Not so much a bug as a warning of new brute force attack Andrew Macpherson (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack John Orthoefer (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Don Lewis (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Dave Hayes (Jun 04)
  - Re: Not so much a bug as a warning of new brute force attack Albert Lunde (Jun 04)

(Thread continues...)