RE: UNIX password auditing tool and the search for dictionaries too

From: Michael Martinez (mmartinez_at_tamsco.com)
Date: 08/07/03

  • Next message: Ermelir: "Re: Anit-Virus Software" 
    To: <security-basics@securityfocus.com>
Date: Thu, 7 Aug 2003 14:48:52 -0600

    >Before you go too far with strong passwords, remember, they do more
    harm
    >than good in most cases. You trust your money to a four digit pin so
    >think about strong authentication, not strong passwords. Two factor can
    >be done with a variety of inexpensive technologies.

    Are you kidding me, you are under the impression that a 4 digit pin is
    secure? I for one have no illusions about how insecure a 4 digit pin
    actually is! Whatever security is provided by said 4 digit pin is more
    related to that fact that there are not freely available pin cracking
    tools for ATM machines...as there are password cracking tools.

    >Strong passwords are the number one source of denial of service in most
    >environments due to the frequent false reject problem that occurs when
    >users can't keep up with frequent changes and strong password. They're
    >also one of the highest costs for security since it's the number one
    >task for help desks and sys admins to support.

    As a help desk supervisor, I assure you that the related cost of time
    and money supporting the reset of passwords is minimal and therefore a
    small price to pay for increased security.

    ...

    >In terms of dictionaries, I think the aggressive approach would include
    >concatenations and number and special character injections into the
    >words. In more secure environments, were users are battered with
    monthly
    >password changes they usually inject the numeric value for the month
    >somewhere in a common word. But the point is, it's not too difficult to
    >build a really big database of words with special character and numeric
    >injections, run them through the hash algorithm and have a table to
    >check for matches.

    If someone were in an environment where they must change their password
    monthly...they are probably using the wrong technology. Perhaps a
    combination of different layers would be a better solution to monthly
    changes.

    ...

    -----Original Message-----
    From: Shane Lahey [mailto:s.lahey@roadrunner.nf.net]
    Sent: Monday, August 04, 2003 7:38 PM
    To: james.easterling@ed.gov; security-basics@securityfocus.com
    Subject: RE: UNIX password auditing tool

    Alec Muffett Crack :: http://www.crypticide.org/users/alecm/

    > -----Original Message-----
    > From: james.easterling@ed.gov [mailto:james.easterling@ed.gov]
    > Sent: Monday, August 04, 2003 4:39 PM
    > To: security-basics@securityfocus.com
    > Subject: UNIX password auditing tool
    >
    >
    >
    > I have tried searches for UNIX password cracking tools and I have come
    up
    > with little value. Can someone direct me to passwd auditing tools
    > besides "John The Ripper" that are free or cost?
    >
    > Regards,
    > James
    >
    >
    ------------------------------------------------------------------------ 

    --
> -
>
------------------------------------------------------------------------
--
> --
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Ermelir: "Re: Anit-Virus Software"