RE: "Proactive" Password Checking

["daN." <dan () nesmail com>]

> Now consider the password "maryhadalittlelamb"  hard to crack, easy to
remember, not a >problem for dictionary crackers.   Just tell users to put
a few words _together_ for >security, like their favorite song lyric or
something.  
>
that would be truncated to 'maryhada' which happens to actually be in my
password dictionary...even if it wasn't popular password cracking programs
will combine words in your dictionary as well as use words back and
forwards with diffrent cases, and the more users you have the more likely
they are to grab at least one password this way..If your technique where to
work at all you would need to make several changes, add random
capitolization, and add at least one none numerical non alpha character to
your password.  But even with these rules in place you make a brute force
attack slightly easier because when you set rules on a password you are
minimizing the maximum amount of possible passwords.  So it comes right
back to the best password is an absolutely random one(which you should
still run a dictionary attack against just in case it randomly ends up
being something that doesn't look so random :) ).

Dan Steele
Network Administrator
WestNet Management Corp.