Bugtraq mailing list archives

Selecting Good Passwords

From: mdr () vodka sse att com (mdr () vodka sse att com)
Date: Tue, 4 Jun 1996 08:34:59 -0400


Brett wrote:

nifty 'dictfile' like I did a few years back. All it takes is some simple
brain power and a LOT of disk space, a quick file that prints all variations
of 5-8 charater length combinations to a file. I stopped mine at 238megs and
it was still going strong.


If your dictionary can be generated as such, then why store it to
disk?  Just generate/test passwords one by one.

But generally that's not why dictionary attacks work!  They work
because people often use common words for passords, unless the
software prevents them.  That's why some password programs require
users to choose numerics and punctuation characters; it prevents the
use of common words and makes guessing the password harder.  Of course
some people often use mnemonics such as:
        0: 0
        1: l
        3: e
        5: s
        ...
which almost totally defeats the purpose of requiring numbers in the
first place.

We use a password generator that produces pronounceable gibberish.

Actual system output:

$ passwd
UX:passwd: INFO: Changing password for mdr
Old password:

Automatic generation of password enabled.  Please wait.

xe5_na     7qev6zum   9risnig6   quxaxe     hudefwog
.qi8yu     9vem2ced   zawvengat  _wiwu+     towsuweh
jishu63    6zinip_    cid01re    fuk6zo1    04gokzo
13zowa     -fejum5    jek5vox2   ziz.0ja    _2nebi
ceh69vej   0lera7     jegnal98   xiv2jaw0   noyep+5

Select new password from passwords provided:

From the above list Olera7 jishu63 6zinip_ and zawvengat are all

relatively easy to remember and will not fall to dictionary attacks.

Of course sometimes the password generator resorts to profanity
(sheerly by combinitorics!) but, that only indicates its lack of
inteligence.:)

Of course, reusable passwords really aren't worth anything if they cross
the network in plain text.  In fact they're worth is actually
less than zero, because someone may actually be trusting the password to
protect something that it is no longer capable of protecting.

Mark Riggins
Secure Systems Engineering
AT&T Bell Labs

PS: my real passwd was _not_ chosen from the above list.

Current thread:

pop3 daemon with syslog logging, (continued)
- - - pop3 daemon with syslog logging Gunnar Ingvi Thorisson (Jun 03)
    - Re: Not so much a bug as a warning of new brute force attack Alan Brown (Jun 03)
    - Re: Not so much a bug as a warning of new brute force attack Brian Davidson (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Russell Street (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Joe Block (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Thayne Forbes (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Steve Chew (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Shaun Lowry (Jun 04)
    - Re: Not so much a bug as a warning of new brute force attack Valdis.Kletnieks () vt edu (Jun 04)
    - rexec brute bastard (Jun 04)
    - Selecting Good Passwords mdr () vodka sse att com (Jun 04)
    - brute force *Hobbit* (Jun 04)
    - Re: brute force Christopher Klaus (Jun 04)
    - Re: brute force Tom Fitzgerald (Jun 05)
    - Re: brute force Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
    - Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
    - help TaeJin Hong (Jun 07)
    - HP-UX B.10.01 vulnerability Aleph One (Jun 07)
    - Strange changes - any ideas? Fred Cohen (Jun 08)
    - Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)

(Thread continues...)