Re: Creating a Password

From: Mimic (gn0rty@gn0rties.ville)
Date: 02/07/03


From: "Mimic" <gn0rty@gn0rties.ville>
Date: Fri, 7 Feb 2003 22:00:15 -0000


> Lohkee
>
> My understanding (over simplified) of the two processes is that :
>
>
>
> 1) A dictionary attack tries every word, number, or combination of such
> (including symbols sometimes) to get the correct one. The system requiring
> the password, will allow the intruder in if the password is correct (if
> there are no restrictions on the amount of attempts, or lockouts, etc).
>
> For example:
>
> Is "dog" correct -> no
>
> Is "cat" correct -> no
>
> Is "bird" correct -> no
>
> Is "nerd" correct -> yes...in you go.
>
> 2) A brute force attack has access to the password files whether they are
> the SAM, master.passwd , passwd, etc. files. Then a program like John the
> Ripper uses every possible character that can be produced on a keyboard,
and
> using the same hashing algorithms, and the same salt, (sounds like a
cooking
> class) for the system being penetrated, attempts to achieve the same
RESULT
> as the encrypted password in the file.
>
>
>
<cut>
> Thanx
>
> JR
>

i believe its the other way round...

Dictionary and incremental are run against a passwd file, by encrypting the
given string, then matching it to the cipher text. ie.

password file entry = sDnTTgJfESd
encrypt Dog = GGnJkIokOL .....> does it match the cypher text ? ......> no
encrypt Cat = sDnTTgJfESd .....> does it match the cypher text ? ......> yes

Brute force is guessing, ie a webbased email account. Commonly used
passphrases. etc.

--
Mimic
"Without knowledge you have fear, with fear you create your own nightmares"
"There are only 10 types of people in the world. Those that understand
Binary, and those that dont."