RE: Education End Users about Passwords - Was - RE: john the ripper

From: Micheal Thompson (MThompson_at_brinkster.com)
Date: 12/09/03

  • Next message: J. Oquendo: "Re: Education End Users about Passwords" 
    Date: Tue, 9 Dec 2003 12:19:49 -0500
To: "Thompson, Jimi" <JimiT@mail.cox.smu.edu>, <pen-test@securityfocus.com>

    End User education is the greatest defense. People are often the weakest
    link. One step further is the educations of the social and physical
    aspects of security.

    Case and point I was performing a pen-test for a financial institution.
    I walked in and ask to see the manager. I told the manager that I had to
    open an account for a business that I was president of. I had the bank
    give myself bogus papers and presented those papers to the manager.
    After about five minutes of building a rapport I spilt my water that I
    got from the waiting room on here blouse. She left the room and left me
    in there. She did not even lock here machine. I just slipped a floppy
    into the A: and load the DISK that had some goodies on it.

    The point is Physical security is just as important as passwords. As you
    guys know most machines can be raped if you have physical access to
    them.

    Sorry for going off thread just want to bring this up.

    -----Original Message-----
    From: Thompson, Jimi [mailto:JimiT@mail.cox.smu.edu]
    Sent: Monday, December 08, 2003 6:05 PM
    To: pen-test@securityfocus.com
    Subject: Education End Users about Passwords - Was - RE: john the ripper

    All,

    My personal experience is that I would rather have a user with a
    relative
    week (6 digit) password that isn't susceptible to a simple dictionary
    attack
    AND that doesn't have it written on a sticky note AND knows not to give
    it
    out over the phone. User education is far more important than the
    length of
    the password.

    The most important thing is explaining to users how they can generate
    their
    own "hard" passwords. The algorithm that I teach them is this:

    1. Pick a sentence that has meaning for you and that you will remember.
            i.e. I work at cox today.
    2. All consonants (or all vowels) become UPPERCASE characters.
    3. All vowels (or all consonants as it is the opposite of rule 2) become
    lower case characters.
    4. Words like to and for become numbers.
    5. Words like at and "and" become symbols (@ and &)
    6. Add some character to the end like ! or #

    now my password is iW@C2day!

    Once they get this simple thing down, getting them to choose "strong"
    passwords becomes infinitely easier, because they now have a mnemonic
    device
    to recall the password - the primary end user complaint about using
    "strong"
    passwords. If they can remember it, they are also a lot less likely to
    use
    the nefarious sticky note. Then all you have to worry about is making
    sure
    that they know not to give it out over the phone, which frankly, is the
    easiest method of "cracking" a password.

    2 cents,

    Jimi

    -----Original Message-----
    From: OBrien, Brennan [mailto:BOBrien@columbia.com]
    Sent: Monday, December 08, 2003 1:38 PM
    To: falcon@secureconsulting.net; pen-test@securityfocus.com
    Subject: RE: john the ripper

    Okay, I hear what you're saying about the amount of time being used and
    all... but..

    If your users are like the ones I've seen, that "reasonably strong"
    password (such as &Y6N8gg0 -- presumably strong) is just going to get
    written down on a sticky tab and put on the users monitor or under their
    keyboard. The point is, while you've done a great job creating a strong
    keyspace which is difficult to break, I may open up a bigger problem.
    The goal is to get through the proverbial wall. Whether I do that by
    breaking through the bricks or scaling it or just going around, it
    doesn't really matter to me. If I make the wall thicker, that just
    moves the problem -- I'm still interested in getting to the other side,
    and I know I won't be able break through it, so off I go to find a
    different solution...

    Just my thoughts.

    -----Original Message-----
    From: Benjamin Tomhave [mailto:falcon@secureconsulting.net]
    Sent: Monday, December 08, 2003 10:58 AM
    To: pen-test@securityfocus.com
    Subject: RE: john the ripper

    Scary numbers...so, semi-drifting question: how long is an "acceptable"
    length of time to run a cracker before pronouncing that uncracked
    passwords
    are "reasonably strong and well-chosen"?

    > -----Original Message-----
    > From: Mike [mailto:myname17@bellsouth.net]
    > Sent: Monday, December 08, 2003 3:45 AM
    > To: Giacomo; pen-test@securityfocus.com
    > Subject: Re: john the ripper
    >
    >
    > I recently did a little research on this, and if the password was
    > well chosen
    > you will not find the password.
    >
    > An 8 character password, based on a 72 character set (26 lower
    > case letters,
    > 26 uppercase letters, 10 digits, and 10 special characters)
    > results in 72^8
    > or 7.2x10^14 possible passwords. My reference PC was only able
    > to crack at
    > 1500c/s. Doing the math reveals that 150,000 years would be required
    to
    > crack all combinations, or 75,000 years on average. For a 12
    character
    > password the result was 2,000,000,000,000 years.
    >
    > If my math is wrong, please break it to me gently.
    >
    > Mike
    >
    > On Tuesday 02 December 2003 10:52 am, Giacomo wrote:
    > > Hi all
    > >
    > > I am tryning to crack cisco md5 password.
    > > Currently I am using a Athlon XP2500barton at 2300mhz, after 17days
    john
    > > continue to crack at 3800c/s (it started at 4500c/s).
    > > I am asking myself and all of you what is the best system (hardware)
    to
    > > crack md5 password.
    > > I am thinking that the best way Is the powerfull (mhz) i386 in
    commerce.
    > > I've tried OpenMosix with 4 p500 nodes with john and cisilia, but
    > > without lucky results.
    > > The sun 280 (dual 64bits cpu at 900mhz) go to a poor 900c/s
    > >
    > > which is you reference system to use john on md5 password ?
    > >
    > > Giacomo
    > >
    > >
    > >
    > >
    > ------------------------------------------------------------------
    > ---------
    > >
    > ------------------------------------------------------------------
    > ---------
    > >-
    >
    >
    > ------------------------------------------------------------------
    > ---------
    > ------------------------------------------------------------------
    > ----------
    >
    >

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: J. Oquendo: "Re: Education End Users about Passwords"