Re: Creating a Password

From: JR (contactjrnowSPAMFREE@hotmail.com)
Date: 02/10/03


From: "JR" <contactjrnowSPAMFREE@hotmail.com>
Date: Mon, 10 Feb 2003 08:54:14 -0500


"Mimic" <gn0rty@gn0rties.ville> wrote in message
news:Q-udnZJOFO3vsdmjXTWcpg@brightview.com...
> > Lohkee
> >
> > My understanding (over simplified) of the two processes is that :
> >
> >
> >
> > 1) A dictionary attack tries every word, number, or combination of such
> > (including symbols sometimes) to get the correct one. The system
requiring
> > the password, will allow the intruder in if the password is correct (if
> > there are no restrictions on the amount of attempts, or lockouts, etc).
> >
> > For example:
> >
> > Is "dog" correct -> no
> >
> > Is "cat" correct -> no
> >
> > Is "bird" correct -> no
> >
> > Is "nerd" correct -> yes...in you go.
> >
> > 2) A brute force attack has access to the password files whether they
are
> > the SAM, master.passwd , passwd, etc. files. Then a program like John
the
> > Ripper uses every possible character that can be produced on a keyboard,
> and
> > using the same hashing algorithms, and the same salt, (sounds like a
> cooking
> > class) for the system being penetrated, attempts to achieve the same
> RESULT
> > as the encrypted password in the file.
> >
> >
> >
> <cut>
> > Thanx
> >
> > JR
> >
>
> i believe its the other way round...
>
> Dictionary and incremental are run against a passwd file, by encrypting
the
> given string, then matching it to the cipher text. ie.
>
> password file entry = sDnTTgJfESd
> encrypt Dog = GGnJkIokOL .....> does it match the cypher text ? ......> no
> encrypt Cat = sDnTTgJfESd .....> does it match the cypher text ? ......>
yes
>
>
> Brute force is guessing, ie a webbased email account. Commonly used
> passphrases. etc.
>
> --
> Mimic
>
> "Without knowledge you have fear, with fear you create your own
nightmares"
> "There are only 10 types of people in the world. Those that understand
> Binary, and those that dont."
>
No its not the other way around. Your very words "Brute force is guessing,
ie a webbased email account. Commonly used passphrases. etc" imply the use
of a dictionary. Where else would the brute force program get "Commonly used
passphrases"?
I do "brute forcing" on a very regular basis, and
I CAN'T do it over a network, it's not guessing the password. I have to
unshadow the master.passwd file and combine it with the passwd file and run
the BF program against the resultant file, which can take from a few minutes
to an almost indefinite amount of time. There is no interaction with the
target other than stealing.......acquiring, the password files. (Actually I
do it for testing)
In reality (a novel concept sometimes), using "brute force" methods against
modern encryption and a good password, is useless now because of the
computing power required and the time involved - years.
Webbased email account cracking WAS normally dictionary based. A dictionary
attack only takes as long as the size of the dictionary (finite), plus the
time for the target to say yes or no.
I think that this whole topic, in some sense, really comes down to
interpretation and hair splitting. :-)
It would be nice if there was a truly authoritative definition of both.
JR



Relevant Pages

  • Re: Strong Passwords & Password Cracking (Final Version?)
    ... >> I would have to disagree with a number of your assumptions. ... >> or uses a common name. ... Strong passwords basically forces a brute force ... >> attack. ...
    (comp.security.misc)
  • Re: More on RC4/n
    ... >unreasonably long streams of RC4/5 in a couple hours and long streams ... >extending a current guess (gather.c was used to gather statistics on ... >2^^121 value guesses that standard brute force would require. ... >I don't know if this attack could be extended to RC4/6. ...
    (sci.crypt)
  • Re: Hacked Passwords
    ... But Windows authentication is quite venerable by now, and it's hard for me to imagine a new kind of attack against them. ... The main attack against Windows authentication isn't an exploit of any flaw in the cryptographic algorithm, but simple brute force guessing, comparison and retrying. ... take a significant amount of time to brute force crack [as long as they are not split into smaller 7-character LM Hash segments], and I believe it's prohibitively difficult for pre-compiled hash tables to scale up that high. ...
    (microsoft.public.security)
  • Re: Creating a Password
    ... >> 1) A dictionary attack tries every word, number, or combination of such ... > Brute force is guessing, ie a webbased email account. ... Commonly used passphrases. ...
    (microsoft.public.security)
  • Re: Password generator?
    ... Try teaching your users using "passphrases" - sentences that are actual passwords - using all kinds of characters like,.#! ...
    (microsoft.public.security)