RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)

From: Behm, Jeffrey L. (BehmJL@bvsg.com)
Date: 07/09/02 

From: "Behm, Jeffrey L." <BehmJL@bvsg.com>
To: firewall-wizards@honor.icsalabs.com
Date: Tue Jul  9 12:31:12 2002

> From: George W. Capehart [mailto:capegeo@opengroup.org]
> Sent: Monday, July 08, 2002 9:28 PM
> Daniel Djundjek wrote:
> >
> > Think of it this way. Most PIN Numbers for banks to take
> > money out of an
> > electronic teller is 4 Digit's, and I can't remember the
> > last time I was
> > forced to change this PIN code...
>
> Daniel,
>
> There is a *very* *important* distinction between a password and PIN
> that is used *in conjuction with* an ATM card.
<snip>
> look for suspicious activity. So, even though, on the surface, a PIN
> may look like a very weak password, it's not. It is one factor of a
> dual-factor authentication mechanism that is only one component of a
> multi-component security/risk management/fraud management system.
>
> Contrast this with a password-only authentication mechanism that
> protects, say, NT, Unix, SQL Server or Oracle. I can start a
> dictionary
> attack against the password file and then go out to dinner, a movie,
> drinks, come back home, go to bed, sleep well all night, get
> up the next
> morning, go to work . . . while crack is working. I get an email when
> it's through . . . You get the picture.

I don't disagree overall, but you glossed over "how" one acquires the passwd
file.

If one already has access to the passwd file, then one has already completed
the hard part.