Re: Not so much a bug as a warning of new brute force attack

[shaunl () march co uk (Shaun Lowry)]

"Brett L. Hawn" <blh () nol net> wrote:

> You can lead a user to a good password but you can only make them use it for
> so long.

Is this not desirable?  The longer they keep that good password, the worse it
gets.  Make them choose another good password!

> Not to mention anyone with the time and desire can create a fairly
> nifty 'dictfile' like I did a few years back. All it takes is some simple
> brain power and a LOT of disk space, a quick file that prints all variations
> of 5-8 charater length combinations to a file. I stopped mine at 238megs and
> it was still going strong.

When talking in terms of attacking a daemon across a relatively
low-bandwidth network (as we were), a dictionary attack on 238Mb of
passwords is a) going to take a long time and b) hopefully won't go
unnoticed.

Agreed, if you have the encrypted passwords locally and have plenty of
CPU time to spare, knock yourself out.  If someone *really* wants to
crack a publically accessible account on your system they will, but this
implies a finely targetted attack.  Most attackers will ask themselves
the question "Where can I get in easily?" rather than "How do I get in
here?"

> Brett

        Shaun.

--
Shaun Lowry           | March Systems Ltd.,           http://www.march.co.uk/
PGP Key available     | 14 Brewery Court, High St.,
from key servers or   | Theale, UK. RG7 5AJ
via e-mail on request | +44 1734 304224