Firewall Wizards mailing list archives
Re: "Proactive" Password Checking
From: Rick Smith <rick_smith () securecomputing com>
Date: Thu, 11 Nov 1999 13:15:20 -0600
Paul McNabb said:
If it is known that this is your password technique, I am sure a lot of passwords will be easily cracked in short order. >;-> There are a
Eric Toll replied:
Methinks not. The account gets locked after 5 wrong guesses. *Please explain.
It depends on the types of attacks you're defending against. Paul is undoubtedly referring to dictionary attacks. The dictionary attack is off-line with respect to the server under attack, so it can't detect the attack and lock the account. Conventional wisdom is that dictionary attacks are practical against most systems.
finite number of truly popular songs. Just listen to what a target humsSounds pretty obscure to me "just listen to what someone is humming" ? or were you making a joke? - - I can't tell.
It's a variant of the "shoulder surfing" attack.
What if said person is in another state or country? *Please explain
One wants passwords to work locally as well as remotely. If they can't provide reliable local authentication, then they're not much good at all. Personally, I think passwords are just about worthless for really remote authentication (i.e. off the site's LAN), though they're somewhat more tolerable when used with SSL or other channel crypto protection.
I was not aware that there was lyric dictionaries on the net. lol *How bout posting some links?
The fundamental problem is that English text is estimated by some to have 1 or 1.5 bits of entropy per letter. I expect that it's about the same for other languages, so the entropy grows relatively slowly even if you switch between languages. If the attacker can mount a brute force attack then he can exploit the low entropy. Personally, I agree that it's useful to know which types of words and phrases reside in online cracker dictionaries. It at least provides a measure of whether attackers can be script kiddies or if they need serious knowledge. The absence of a dictionary does not really assure that a memorable password can't be cracked. Rick. smith () securecomputing com "Internet Cryptography" at http://www.visi.com/crypto/
Current thread:
- RE: "Proactive" Password Checking, (continued)
- RE: "Proactive" Password Checking Moore, James (Nov 06)
- RE: "Proactive" Password Checking Russ (Nov 06)
- Re: "Proactive" Password Checking REID FOX (Nov 06)
- RE: "Proactive" Password Checking Moore, James (Nov 08)
- RE: "Proactive" Password Checking Russ (Nov 09)
- RE: "Proactive" Password Checking Eric Toll (Nov 10)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 10)
- Re: "Proactive" Password Checking Alec Muffett (Nov 10)
- RE: "Proactive" Password Checking daN. (Nov 15)
- Re: "Proactive" Password Checking Eric Toll (Nov 10)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Eric Budke (Nov 14)
- Message not available
- Re: "Proactive" Password Checking Eric Budke (Nov 17)
- Re: "Proactive" Password Checking Rick Smith (Nov 11)
- Re: "Proactive" Password Checking Rick Smith (Nov 14)
- RE: "Proactive" Password Checking Andreas Gunnarsson (Nov 14)
- Re: "Proactive" Password Checking Dorian Moore (Nov 14)
- Re: "Proactive" Password Checking Joseph S D Yao (Nov 17)