Re: "Proactive" Password Checking

[Joseph S D Yao <jsdy () cospo osis gov>]

On Fri, Nov 12, 1999 at 09:42:07AM -0600, Moore, James wrote:
...
> I'm not sure I fully understand Alan's point wrt L0phtcrack etc., but I
> don't believe password crackers obviate the utility of a tool such as
> passfilt.dll.
...
> > -----Original Message-----
> > From:       Alan Ramsbottom [SMTP:ACR () als co uk]
> > Sent:       Tuesday, November 09, 1999 12:44 PM
...
> > Bear in mind that you can't afford to spend the 5 (or 50 or 500 or..) mins
> > that it might take Crack, John the Ripper, L0phtcrack et al to find a
> > password. If anyone's worried enough to write custom password filters then
> > they should probably run offline password crackers on a regular basis.

I believe his point is that the cracker can set his engine and motion
and go off, and come back in a couple of days for his results.  But when
your user says, "Computer, I would like to change my password, please",
or uses one of those quaint mouse thingies to press an icon, or a
keyboard to enter a command line, he, she, or it usually would prefer to
have a response that second instead of in a couple of days.

Of course, the tasks are radically different, too - the cracker needs to
go from an unknown encrypted string to its plaintext; while the user is
entering the plaintext, and the computer at that point just has to be
able to advise the user whether or not that would make a good password.
So better search/recognition heuristics for easily-found dictionary
words would help the latter task.  If one is concerned that they do not
suffice, one may go back later and try to run more brutal, time-taking
attacks against the passwords chosen.

-- 
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.