Re: [fw-wiz] Passwords (was: Stanford break in)

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 04/23/04

  • Next message: Adam Shostack: "Re: [fw-wiz] Passwords (was: Stanford break in)"
    To: Dana Nowell <DanaNowell@cornerstonesoftware.com>
    Date: Fri, 23 Apr 2004 16:44:44 -0400 (EDT)
    
    

    On Fri, 23 Apr 2004, Dana Nowell wrote:

    > Bottom line: do NOT, repeat, do NOT put ANY confidence in 'salts' saving
    > your A**. The best defense is to not be in anyone's dictionary in the
    > first place. Pick a password carefully and change it regularly.

    Filling in the dictionary isn't that hard, and adding to it to generate
    the "empty space" isn't all that bad for smaller lengths...

    http://security.sdsc.edu/publications/teracrack.pdf
    (Where the heck was Abe when I baited him in this thread?)

    One of the "interesting" things in the Teracrack paper is that high-bit
    characters collide. They found one "true" collision between $C4U1N3R and
    SEEKETH- now I dunno about you, but I'd have put $C4U1N3R in the "not in a
    dictionary" category.

    Now, someone with mad math skills can take the dictionaries, and the
    possible 7-bit passwords and figure out how much keyspace that leaves-
    since "strong passwords enforced by software" will negate having to search
    that space- if we know how long the password is (attacker on site) then it
    might just not matter that you chose a non-dictionary entry.

    Bottom line: Reusable passwords still suck. :)

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Adam Shostack: "Re: [fw-wiz] Passwords (was: Stanford break in)"

    Relevant Pages

    • Re: [fw-wiz] Radius access from provider to internal MS ISA Server
      ... you should assume compromised credentials at ... > Dictionaries are only too good if you use them to find your passwords. ... we get a single-CPU software ...
      (Firewall-Wizards)
    • Re: "Install a license"
      ... using a sequence of two or three words ... For reasonably-sized dictionaries, ... than passwords the user would choose. ... of random data and apply base64, then store the result in a file in my ...
      (alt.usage.english)
    • Re: "Install a license"
      ... Bill Cheswick has a great alternative proposal: passwords should be ... For reasonably-sized dictionaries, ... of random data and apply base64, then store the result in a file in my ...
      (alt.usage.english)
    • Re: "Install a license"
      ... Bill Cheswick has a great alternative proposal: passwords should be ... For reasonably-sized dictionaries, ... of random data and apply base64, then store the result in a file in my ...
      (alt.usage.english)
    • RE: [fw-wiz] strong passwords (was Radius/MS ISA stuff)
      ... > Of Paul Robertson ... For a completely random hex password it's a pure 4 bits of entropy per ... So, we need 16 random hex characters, or 10 random typeables. ... The trouble is that memorable or, worse, dictionary passwords have ...
      (Firewall-Wizards)