Re: Creating a Password

From: JR (contactjrnowSPAMFREE@hotmail.com)
Date: 02/10/03


From: "JR" <contactjrnowSPAMFREE@hotmail.com>
Date: Mon, 10 Feb 2003 08:54:14 -0500


"Mimic" <gn0rty@gn0rties.ville> wrote in message
news:Q-udnZJOFO3vsdmjXTWcpg@brightview.com...
> > Lohkee
> >
> > My understanding (over simplified) of the two processes is that :
> >
> >
> >
> > 1) A dictionary attack tries every word, number, or combination of such
> > (including symbols sometimes) to get the correct one. The system
requiring
> > the password, will allow the intruder in if the password is correct (if
> > there are no restrictions on the amount of attempts, or lockouts, etc).
> >
> > For example:
> >
> > Is "dog" correct -> no
> >
> > Is "cat" correct -> no
> >
> > Is "bird" correct -> no
> >
> > Is "nerd" correct -> yes...in you go.
> >
> > 2) A brute force attack has access to the password files whether they
are
> > the SAM, master.passwd , passwd, etc. files. Then a program like John
the
> > Ripper uses every possible character that can be produced on a keyboard,
> and
> > using the same hashing algorithms, and the same salt, (sounds like a
> cooking
> > class) for the system being penetrated, attempts to achieve the same
> RESULT
> > as the encrypted password in the file.
> >
> >
> >
> <cut>
> > Thanx
> >
> > JR
> >
>
> i believe its the other way round...
>
> Dictionary and incremental are run against a passwd file, by encrypting
the
> given string, then matching it to the cipher text. ie.
>
> password file entry = sDnTTgJfESd
> encrypt Dog = GGnJkIokOL .....> does it match the cypher text ? ......> no
> encrypt Cat = sDnTTgJfESd .....> does it match the cypher text ? ......>
yes
>
>
> Brute force is guessing, ie a webbased email account. Commonly used
> passphrases. etc.
>
> --
> Mimic
>
> "Without knowledge you have fear, with fear you create your own
nightmares"
> "There are only 10 types of people in the world. Those that understand
> Binary, and those that dont."
>
No its not the other way around. Your very words "Brute force is guessing,
ie a webbased email account. Commonly used passphrases. etc" imply the use
of a dictionary. Where else would the brute force program get "Commonly used
passphrases"?
I do "brute forcing" on a very regular basis, and
I CAN'T do it over a network, it's not guessing the password. I have to
unshadow the master.passwd file and combine it with the passwd file and run
the BF program against the resultant file, which can take from a few minutes
to an almost indefinite amount of time. There is no interaction with the
target other than stealing.......acquiring, the password files. (Actually I
do it for testing)
In reality (a novel concept sometimes), using "brute force" methods against
modern encryption and a good password, is useless now because of the
computing power required and the time involved - years.
Webbased email account cracking WAS normally dictionary based. A dictionary
attack only takes as long as the size of the dictionary (finite), plus the
time for the target to say yes or no.
I think that this whole topic, in some sense, really comes down to
interpretation and hair splitting. :-)
It would be nice if there was a truly authoritative definition of both.
JR